28
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA
7-Access Control Fundamentals
Dr. John P. Abraham
Professor
UTPA
Access Control
• Process by which resources are ganted or denied on a network. Basic steps:– Identification – review of credentials– Authentication – Validate credentials as genuine– Authorization – Permission granted to network– Access – right given to access specific resources
• Physical Access control, Hardware control, software control, policy control
Security+ Guide to Network Security Fundamentals, Third Edition 3
Access Control Terminology (continued)
Access Control models
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Role Based Access Control (RBAC)
• Rule Bases Access Control (RBAC)
Mandatory Access Control – used in defense and military.
• Most restrictive• Owner/Administrator responsible for managing
access controls.• Owner defines a policy about users or user
groups who can operate objects.• Administrator implements the policy.• Users can’t modify the policy• If numbers are assigned to users and objects,
user number had to be higher than object number to have access to that object.
Security+ Guide to Network Security Fundamentals, Third Edition 6
Access Control Terminology (continued)
Discretionary Access Control
• Least restrictive• Users can manipulate any objects and • End user sets the level of security – it is a
major weakness• User’s permission will be inherited by any
programs that the subject executes. Operating systems are now beginning to ask users for permission when installing a software (User Account Control or UAC).
UAC
• Primary restrictions implemented by UAC:– Run with limited privileges by default for
administrators. Gives Windows needs your permission to continue popup. Software can’t secretly install itself.
– Standard user account can run allowed applications without having administrator privileges.
– Standard users can perform common tasks such as installing new fonts or adding a printer. without having administrative privileges.
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models (continued)
9
Role Based Access Control
• Instead of setting permission for each user or group, RBAC model assigns permission to particular roles in the organization then assigns users to that role. User can only belong to one role. Users can’t be given permissions beyond the role.
Security+ Guide to Network Security Fundamentals, Third Edition
Access Control Models (continued)
11
Rule Based Access Control
• Each resource object contains a set of access properties based on the rules. This is good when a user needs to access several systems.
Practices for Access Control
• Separation of duties: Prevent too much control by just one person. Owner and administrator should be two different individuals.
• Job rotation: responsibilities should be rotated. Requires cross training.
• Lease privilege: Give minimum required privilege.
• Implicit Deny: Deny all, except allowed ones.
Logical Access Control Methods:
• Access Control lists (ACLs), group policies, account restrictions and passwords.– ACL – set of permissions attached to an
object. Unix rwx Windows: full, modify, read&execute, read write, special permissions.
Security+ Guide to Network Security Fundamentals, Third Edition 15
Access Control Lists (ACLs) (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 16
Group Policies• Microsoft windows feature that provides centralized
management of– Configuration of computers– Remote users
• Uses active directory• Used in enterprise environments to restrict user actions
that may pose a security risk• Group policy can control logging in scripts, folder
redirection, internet explorer settings and windows registry settings.
• Group policy settings are stored in group policy objects
which may in turn me linked to multiple domains.
Account restrictions
• Time of day restrictions
• Account expiration
• Password policy: Password expiration, used passwords can’t reused, strong passwords: required Uppercase, lower case and numbers, and length of characters.
Security+ Guide to Network Security Fundamentals, Third Edition 19
Attacks on passwords
• Brute force attack. Simply guessing passwords such as first name, family members name, birthdates, cities, etc.
• Dictionary attack. Regular words and hashed words. Hashed words are encrypted passwords of dictionary words. Stolen password files from the computer will be hashed. Hashed words can be compared to these words in hashed files to discover the real passwords.
Security+ Guide to Network Security Fundamentals, Third Edition 21
Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 22
Physical access control
• Secure the system• Remove or disable hardware that can provide access to
computer such as USB ports and DVD drives• Rack mounted servers are preferred. Several such
servers will have one keyboard and mouse (KVM swiches, with username and password security)
• Door Security – Lock or door access system (either key pad or physical tokens such as IDbadge with RFID)
• Video surveillance• Physical Access log
Security+ Guide to Network Security Fundamentals, Third Edition 25
Security+ Guide to Network Security Fundamentals, Third Edition
Video Surveillance
• Closed circuit television (CCTV)– Using video cameras to transmit a signal to a
specific and limited set of receivers
• Some CCTV cameras are fixed in a single position pointed at a door or a hallway
• Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view
26
Security+ Guide to Network Security Fundamentals, Third Edition
Physical Access Log
• Physical access log– A record or list of individuals who entered a secure
area, the time that they entered, and the time they left the area
– Can also identify if unauthorized personnel have accessed a secure area
• Physical access logs originally were paper documents– Today, door access systems and physical tokens
can generate electronic log documents
28
