7-Access Control Fundamentals

transcript

Dr. John P. Abraham

Professor

Access Control

• Process by which resources are ganted or denied on a network. Basic steps:– Identification – review of credentials– Authentication – Validate credentials as genuine– Authorization – Permission granted to network– Access – right given to access specific resources

• Physical Access control, Hardware control, software control, policy control

Security+ Guide to Network Security Fundamentals, Third Edition 3

Access Control Terminology (continued)

Access Control models

• Mandatory Access Control (MAC)

• Discretionary Access Control (DAC)

• Role Based Access Control (RBAC)

• Rule Bases Access Control (RBAC)

Mandatory Access Control – used in defense and military.

• Most restrictive• Owner/Administrator responsible for managing

access controls.• Owner defines a policy about users or user

groups who can operate objects.• Administrator implements the policy.• Users can’t modify the policy• If numbers are assigned to users and objects,

user number had to be higher than object number to have access to that object.

Access Control Terminology (continued)

Discretionary Access Control

• Least restrictive• Users can manipulate any objects and • End user sets the level of security – it is a

major weakness• User’s permission will be inherited by any

programs that the subject executes. Operating systems are now beginning to ask users for permission when installing a software (User Account Control or UAC).

• Primary restrictions implemented by UAC:– Run with limited privileges by default for

administrators. Gives Windows needs your permission to continue popup. Software can’t secretly install itself.

– Standard user account can run allowed applications without having administrator privileges.

– Standard users can perform common tasks such as installing new fonts or adding a printer. without having administrative privileges.

Security+ Guide to Network Security Fundamentals, Third Edition

Access Control Models (continued)

Role Based Access Control

• Instead of setting permission for each user or group, RBAC model assigns permission to particular roles in the organization then assigns users to that role. User can only belong to one role. Users can’t be given permissions beyond the role.

Access Control Models (continued)

Rule Based Access Control

• Each resource object contains a set of access properties based on the rules. This is good when a user needs to access several systems.

Practices for Access Control

• Separation of duties: Prevent too much control by just one person. Owner and administrator should be two different individuals.

• Job rotation: responsibilities should be rotated. Requires cross training.

• Lease privilege: Give minimum required privilege.

• Implicit Deny: Deny all, except allowed ones.

Logical Access Control Methods:

• Access Control lists (ACLs), group policies, account restrictions and passwords.– ACL – set of permissions attached to an

object. Unix rwx Windows: full, modify, read&execute, read write, special permissions.

Access Control Lists (ACLs) (continued)

Group Policies• Microsoft windows feature that provides centralized

management of– Configuration of computers– Remote users

• Uses active directory• Used in enterprise environments to restrict user actions

that may pose a security risk• Group policy can control logging in scripts, folder

redirection, internet explorer settings and windows registry settings.

• Group policy settings are stored in group policy objects

which may in turn me linked to multiple domains.

Account restrictions

• Time of day restrictions

• Account expiration

• Password policy: Password expiration, used passwords can’t reused, strong passwords: required Uppercase, lower case and numbers, and length of characters.

Attacks on passwords

• Brute force attack. Simply guessing passwords such as first name, family members name, birthdates, cities, etc.

• Dictionary attack. Regular words and hashed words. Hashed words are encrypted passwords of dictionary words. Stolen password files from the computer will be hashed. Hashed words can be compared to these words in hashed files to discover the real passwords.

Passwords (continued)

Physical access control

• Secure the system• Remove or disable hardware that can provide access to

computer such as USB ports and DVD drives• Rack mounted servers are preferred. Several such

servers will have one keyboard and mouse (KVM swiches, with username and password security)

• Door Security – Lock or door access system (either key pad or physical tokens such as IDbadge with RFID)

• Video surveillance• Physical Access log

Video Surveillance

• Closed circuit television (CCTV)– Using video cameras to transmit a signal to a

specific and limited set of receivers

• Some CCTV cameras are fixed in a single position pointed at a door or a hallway

• Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view

Physical Access Log

• Physical access log– A record or list of individuals who entered a secure

area, the time that they entered, and the time they left the area

– Can also identify if unauthorized personnel have accessed a secure area

• Physical access logs originally were paper documents– Today, door access systems and physical tokens

can generate electronic log documents

7-Access Control Fundamentals

Documents