Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.

Slides:



Advertisements
Similar presentations
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Advertisements

Lecture 8 Access Control (cont)
File Server Organization and Best Practices IT Partners June, 02, 2010.
Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Access Control Intro, DAC and MAC System Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction To Windows NT ® Server And Internet Information Server.
Sicurezza Informatica Prof. Stefano Bistarelli
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Chapter 5 Database Application Security Models
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.
ORACLE DATABASE SECURITY
Li Xiong CS573 Data Privacy and Security Access Control.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
IOS110 Introduction to Operating Systems using Windows Session 8 1.
Module 4 Managing Access to Resources in Active Directory ® Domain Services.
CSCE 201 Introduction to Information Security Fall 2010 Access Control.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 4 – Access Control.
Li Xiong CS573 Data Privacy and Security Access Control.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Access Control  privilege How does your code manage who has access to what?  authorization  permission Two OS models: Unix Windows.
Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
Trusted Operating Systems
Access Control: Policies and Mechanisms Vinod Ganapathy.
Privilege Management Chapter 22.
Computer Security: Principles and Practice
Copyright © 2007, Oracle. All rights reserved. Implementing Role-Based Security.
Configuring and Managing Resource Access Lecture 5.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Database Security Advanced Database Dr. AlaaEddin Almabhouh.
MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.
CS580 Internet Security Protocols
Access Control Model SAM-5.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Protection and Security
HARDENING CLIENT COMPUTERS
or call for office visit,
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
CE Operating Systems Lecture 21
OS Access Control Mauricio Sifontes.
Access Control What’s New?
Access Control and Site Security
Presentation transcript:

Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki

Access Control There are a few methods of restricting access to a system, we will talk about in this chapter DAC MAC Role Based Rule Based

Discretionary Access Control () Concept that a “data owner” are allowed authorize access to subjects. This is based on their discretion. Most commercial solutions implement Discretionary Access Control ACLs are a common implementation of access controls in Discretionary systems

Discretionary access control

User Based User Based – a DAC method where every user is assigned a unique ID. Permissions are granted to each individual user. If a user has permissions to a resource.. They can access it. Advantages? Problems?

Group Based A DAC method where groups are created. Users are placed in Groups. Permissions are given to groups. If a user is in a group that has permission to a resource.. Then that user has permission to the resource Advantages? Problems?

Group Based Access Control

Combination of Access When you have user and group based access control, often groups AND users both are assigned permissions to resources. And the total combination of permissions are your effective permissions. Example: John has Read access to file1.txt John is a member of managers, which has write access to file1.txt Johns effective access is: read + write

Unix Unix uses a “bit map” of permissions. The main permissions are Read Write Execute And these permissions can be assigned to 3 categories: Owner, Group, All Others Ex. (see next page) OwnerGroupOthers RWX R-W ---

Unix Permissions

Windows Permissions Windows uses Access Control Lists (also called NTFS permissions) ACLs are a much more flexible model that allows you to assign ANY combination of permissions to any Combination of users and groups. (more)

Windows ACLs The basic permissions ACL permissions are Full Control Modify Read Read and Execute Write

Windows ACLs Windows ACLs are additive Joe is a member of the managers group Joe is a member of the IT group file1.txt manager = read, write IT= read What are Joes “effective” permissions to file1.txt?

Windows No access permission No access is a special permissions in windows It NULLIFIES all other permissions. Joes is a member of managers Joe is a member of IT file1.txt: managers = full control it = read joe = deny What is Joes effective permissions?

MAC

Mandatory Access Control Mandatory Access Control, means that the system is configured with a set of RULES for access and strictly enforce them. The Data Owner is not able to arbitrarily set permissions for users or groups. Military system use MAC system, usually in a “clearance level” model (more)

MAC and clearances Clearance Levels – data is classified into a level by the data owner Top Secret – exceptionally grave damage to national security Secret – serious damage to national security Confidential – damaging national security Unclassified – public (more)

MAC and clearances Now users are given a clearance level For example: Bob has secret clearance If bob want to access a document, the OS looks at the documents classification and Bobs clearance level Bob only will get access if his clearance “dominates”.

Example question 1 Budget.txt classification: secret Bob Clearance: top secret Can bob read the file budget.txt?

Example question2 super-secret-file.txt classification: Top Secret Bob Clearance: secret Can bob access the file “super-secret-file.txt?”

Role Based Access Control (546) Access to resources are given to job positions or “roles”. Users are assigned to roles, and then they have the access rights that the roles have. Much more scalable model than individually signing permissions Avoids Authorization Creep Great for large companies Great if there is a lot of turn over

Rule Based The Decision to grant access to an item is based on a set of rules, (yes or no questions) Example: You may access a file IF You are in the management group The time is between 9AM-5PM Monday-Friday Firewalls use rule based access control to analyze a packet and see if should be allowed based on the “firewall rules” Advantages: Very flexible type of control Can be combined with other types of access controls

Auditing

If you are going to bother to protect a resource. You should enable auditing on the resource You should check the audit logs to determine who is accessing what See if people are accessing things they don’t really need (then remove permissions) See if people are accessing things “too much” Determine if people access is not sufficient for their job requirements

Audit Files and Logs Unix/Linux – Syslog (framework) Windows – Event Viewer (see next slide) Applications – Specific log files for application. Firewall logs Anti-virus logs Database logs Web server logs Mail server logs DNS server logs

Event Viewer Open up event viewer if you’ve never used it before, and look around!

Chapter 19 - Review Q. What is role based access control Q. What is MAC? Where is it usually used? Q. What is DAC? Where is it usually used? Q. What is rule based access control?

Chapter 19 - Review Q. should user IDs be shared? Q. Why is auditing necessary? Q. What types of access control does windows server use for files and directories? Q. What are the 3 Unix access permissions, What are the 3 different “components” they can be applied to?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.