Access Control Flashcards
What are the four Access Control Models
MAC (Mandatory AC) , DAC (Discretionary AC), RBAC (Role Based AC), ABAC (Attribute Based AC)
Describe DAC
Discretionary Access Control is when the Access control policy is determined by the owner of the network resource.
When a folder is created by a user, they have the ability to choose who has access to the folder and what level of access they have
What are the requirements of DAC
- Every object in a system must have an owner.
- Each owner determines access rights and permissions for each object
Describe MAC
Mandatory Access Control is a model where the computer system determines the access control for a user.
MAC relies on security labels being assigned to every user (subject) and every file/folder/device or network connection (object)
What is a security label
A label assigned to a subject or object within MAC. Data labels create trust levels for all subjects and objects, and to access objects you must meet the minimum or greater trust level.
How is MAC implemented
MAC used rule based and lattice based access control methods. Both are sub access control methods that rely on data labels.
Describe Rule Based AC
A SUB Access Control of MAC
Label based access control that defines whether access should be granted or denied to objects by comparing the object label and subject label
Describe LBAC
A SUB Access Control of MAC
Lattice based Access control - utilizes complex mathematics to create sets of object and subjects that define how they interact.
True or False: MAC is an industry best practice
False: MAC is only used in high security environments due to its complex and expensive configuration
True or False: MAC is a feature in FreeBSD and SeLinux
True
Describe ABAC
Attribute based access control is a dynamic and context aware model that uses if then statements with Tags and dynamic authentication.
Describe Role Based Access Control RBAC
Role Based Access Control
Model that is controlled by the system but utilized a set of permissions instead of a single data label to define permission levels.
Access based on job function is RBAC
**Power User accounts are RBAC Permissions
What are the best practices for Access Control
Implicit deny
Least Privilege
Separation of Duties
Job Rotations
Explain Implicit deny and least privilege
Implicit deny - All resources should be denied by default and only allowed when explicitly stated.
Least Privilege - Users should have he lowest level of access needed to perform their job function - similar to “Need to Know” aspect of MAC.
Explain Separation of Duties and Job Rotations
Separation of duties
includes requiring more than one person to conduct sensitive tasks or operations.
An example would be an admin having both a Standard user account and a power user account.
Job Rotation -
Users are cycled between jobs to learn operations reduce burnout and boredom.
Helps employees learn new skills in addition to identifying theft and fraud.
True of False: OUs in ADUC are made to mimic major departments within in an organization
True
List the permissions in windows from highest privilege to lowest.
Full Control
Modify
Read + Execute
List folder contents
Read
Write
True or False: AD Groups can contain Groups?
True
What is a group
collection of users based on common attributes (generally work roles)
In Linux, what are the levels of access, and what are the letters for Owners, groups, and all users?
Read, Write, Execute
Owners - U
Groups - G
All users - A or O
What is CHMOD
Program in Linux used to change the permissions or rights of a file or folder using a short hand numbering system.
What are the numbers associated to Read, Write and Execute for CHMOD and how are the numbers organized in the CLI
Read = 4
Write = 2
Execute = 1
No access = 0
in the CLI it is Owner (U), Group(G), All Users(A or O)
What does CHMOD 777 grant
It grants full access to Owners, Groups, and all users
What does CHMOD 760 grant
Grants full access to owners, Read\Write to the group, and no access to all users.
