Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.

Published bySophia Stevens Modified over 8 years ago

Similar presentations

Presentation on theme: "Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki."— Presentation transcript:

1 Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki

2 Access Control There are a few methods of restricting access to a system, we will talk about in this chapter DAC MAC Role Based Rule Based

3 Discretionary Access Control () Concept that a “data owner” are allowed authorize access to subjects. This is based on their discretion. Most commercial solutions implement Discretionary Access Control ACLs are a common implementation of access controls in Discretionary systems

4 Discretionary access control

5 User Based User Based – a DAC method where every user is assigned a unique ID. Permissions are granted to each individual user. If a user has permissions to a resource.. They can access it. Advantages? Problems?

6 Group Based A DAC method where groups are created. Users are placed in Groups. Permissions are given to groups. If a user is in a group that has permission to a resource.. Then that user has permission to the resource Advantages? Problems?

7 Group Based Access Control

8 Combination of Access When you have user and group based access control, often groups AND users both are assigned permissions to resources. And the total combination of permissions are your effective permissions. Example: John has Read access to file1.txt John is a member of managers, which has write access to file1.txt Johns effective access is: read + write

9 Unix Unix uses a “bit map” of permissions. The main permissions are Read Write Execute And these permissions can be assigned to 3 categories: Owner, Group, All Others Ex. (see next page) OwnerGroupOthers RWX R-W ---

10 Unix Permissions

11 Windows Permissions Windows uses Access Control Lists (also called NTFS permissions) ACLs are a much more flexible model that allows you to assign ANY combination of permissions to any Combination of users and groups. (more)

12 Windows ACLs The basic permissions ACL permissions are Full Control Modify Read Read and Execute Write

13 Windows ACLs Windows ACLs are additive Joe is a member of the managers group Joe is a member of the IT group file1.txt manager = read, write IT= read What are Joes “effective” permissions to file1.txt?

14 Windows No access permission No access is a special permissions in windows It NULLIFIES all other permissions. Joes is a member of managers Joe is a member of IT file1.txt: managers = full control it = read joe = deny What is Joes effective permissions?

15 MAC

16 Mandatory Access Control Mandatory Access Control, means that the system is configured with a set of RULES for access and strictly enforce them. The Data Owner is not able to arbitrarily set permissions for users or groups. Military system use MAC system, usually in a “clearance level” model (more)

17 MAC and clearances Clearance Levels – data is classified into a level by the data owner Top Secret – exceptionally grave damage to national security Secret – serious damage to national security Confidential – damaging national security Unclassified – public (more)

18 MAC and clearances Now users are given a clearance level For example: Bob has secret clearance If bob want to access a document, the OS looks at the documents classification and Bobs clearance level Bob only will get access if his clearance “dominates”.

19 Example question 1 Budget.txt classification: secret Bob Clearance: top secret Can bob read the file budget.txt?

20 Example question2 super-secret-file.txt classification: Top Secret Bob Clearance: secret Can bob access the file “super-secret-file.txt?”

21 Role Based Access Control (546) Access to resources are given to job positions or “roles”. Users are assigned to roles, and then they have the access rights that the roles have. Much more scalable model than individually signing permissions Avoids Authorization Creep Great for large companies Great if there is a lot of turn over

22 Rule Based The Decision to grant access to an item is based on a set of rules, (yes or no questions) Example: You may access a file IF You are in the management group The time is between 9AM-5PM Monday-Friday Firewalls use rule based access control to analyze a packet and see if should be allowed based on the “firewall rules” Advantages: Very flexible type of control Can be combined with other types of access controls

23 Auditing

24 If you are going to bother to protect a resource. You should enable auditing on the resource You should check the audit logs to determine who is accessing what See if people are accessing things they don’t really need (then remove permissions) See if people are accessing things “too much” Determine if people access is not sufficient for their job requirements

25 Audit Files and Logs Unix/Linux – Syslog (framework) Windows – Event Viewer (see next slide) Applications – Specific log files for application. Firewall logs Anti-virus logs Database logs Web server logs Mail server logs DNS server logs

26 Event Viewer Open up event viewer if you’ve never used it before, and look around!

27 Chapter 19 - Review Q. What is role based access control Q. What is MAC? Where is it usually used? Q. What is DAC? Where is it usually used? Q. What is rule based access control?

28 Chapter 19 - Review Q. should user IDs be shared? Q. Why is auditing necessary? Q. What types of access control does windows 2000+ server use for files and directories? Q. What are the 3 Unix access permissions, What are the 3 different “components” they can be applied to?

Download ppt "Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki."

Similar presentations

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.

2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.

Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.

Similar presentations

Ads by Google