340 likes | 575 Views
7-Access Control Fundamentals. Dr. John P. Abraham Professor UTPA. Access Control. Process by which resources are ganted or denied on a network. Basic steps: Identification – review of credentials Authentication – Validate credentials as genuine
E N D
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA
Access Control • Process by which resources are ganted or denied on a network. Basic steps: • Identification – review of credentials • Authentication – Validate credentials as genuine • Authorization – Permission granted to network • Access – right given to access specific resources • Physical Access control, Hardware control, software control, policy control
Access Control Terminology (continued) Security+ Guide to Network Security Fundamentals, Third Edition 3
Access Control models • Mandatory Access Control (MAC) • Discretionary Access Control (DAC) • Role Based Access Control (RBAC) • Rule Bases Access Control (RBAC)
Mandatory Access Control – used in defense and military. • Most restrictive • Owner/Administrator responsible for managing access controls. • Owner defines a policy about users or user groups who can operate objects. • Administrator implements the policy. • Users can’t modify the policy • If numbers are assigned to users and objects, user number had to be higher than object number to have access to that object.
Access Control Terminology (continued) Security+ Guide to Network Security Fundamentals, Third Edition 6
Discretionary Access Control • Least restrictive • Users can manipulate any objects and • End user sets the level of security – it is a major weakness • User’s permission will be inherited by any programs that the subject executes. Operating systems are now beginning to ask users for permission when installing a software (User Account Control or UAC).
UAC • Primary restrictions implemented by UAC: • Run with limited privileges by default for administrators. Gives Windows needs your permission to continue popup. Software can’t secretly install itself. • Standard user account can run allowed applications without having administrator privileges. • Standard users can perform common tasks such as installing new fonts or adding a printer. without having administrative privileges.
Access Control Models (continued) Security+ Guide to Network Security Fundamentals, Third Edition 9
Role Based Access Control • Instead of setting permission for each user or group, RBAC model assigns permission to particular roles in the organization then assigns users to that role. User can only belong to one role. Users can’t be given permissions beyond the role.
Access Control Models (continued) Security+ Guide to Network Security Fundamentals, Third Edition 11
Rule Based Access Control • Each resource object contains a set of access properties based on the rules. This is good when a user needs to access several systems.
Practices for Access Control • Separation of duties: Prevent too much control by just one person. Owner and administrator should be two different individuals. • Job rotation: responsibilities should be rotated. Requires cross training. • Lease privilege: Give minimum required privilege. • Implicit Deny: Deny all, except allowed ones.
Logical Access Control Methods: • Access Control lists (ACLs), group policies, account restrictions and passwords. • ACL – set of permissions attached to an object. Unix rwx Windows: full, modify, read&execute, read write, special permissions.
Access Control Lists (ACLs) (continued) Security+ Guide to Network Security Fundamentals, Third Edition 15
Security+ Guide to Network Security Fundamentals, Third Edition 16
Group Policies • Microsoft windows feature that provides centralized management of • Configuration of computers • Remote users • Uses active directory • Used in enterprise environments to restrict user actions that may pose a security risk • Group policy can control logging in scripts, folder redirection, internet explorer settings and windows registry settings. • Group policy settings are stored in group policy objects which may in turn me linked to multiple domains.
Account restrictions • Time of day restrictions • Account expiration • Password policy: Password expiration, used passwords can’t reused, strong passwords: required Uppercase, lower case and numbers, and length of characters.
Security+ Guide to Network Security Fundamentals, Third Edition 19
Attacks on passwords • Brute force attack. Simply guessing passwords such as first name, family members name, birthdates, cities, etc. • Dictionary attack. Regular words and hashed words. Hashed words are encrypted passwords of dictionary words. Stolen password files from the computer will be hashed. Hashed words can be compared to these words in hashed files to discover the real passwords.
Passwords (continued) Security+ Guide to Network Security Fundamentals, Third Edition 21
Security+ Guide to Network Security Fundamentals, Third Edition 22
Physical access control • Secure the system • Remove or disable hardware that can provide access to computer such as USB ports and DVD drives • Rack mounted servers are preferred. Several such servers will have one keyboard and mouse (KVM swiches, with username and password security) • Door Security – Lock or door access system (either key pad or physical tokens such as IDbadge with RFID) • Video surveillance • Physical Access log
Security+ Guide to Network Security Fundamentals, Third Edition 25
Video Surveillance Closed circuit television (CCTV) Using video cameras to transmit a signal to a specific and limited set of receivers Some CCTV cameras are fixed in a single position pointed at a door or a hallway Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view Security+ Guide to Network Security Fundamentals, Third Edition 26
Physical Access Log Physical access log A record or list of individuals who entered a secure area, the time that they entered, and the time they left the area Can also identify if unauthorized personnel have accessed a secure area Physical access logs originally were paper documents Today, door access systems and physical tokens can generate electronic log documents Security+ Guide to Network Security Fundamentals, Third Edition 28