Access Control

Question 1

What are the four Access Control Models

Answer 1

MAC (Mandatory AC) , DAC (Discretionary AC), RBAC (Role Based AC), ABAC (Attribute Based AC)

Question 2

Describe DAC

Answer 2

Discretionary Access Control is when the Access control policy is determined by the owner of the network resource.

When a folder is created by a user, they have the ability to choose who has access to the folder and what level of access they have

Question 3

What are the requirements of DAC

Answer 3

1. Every object in a system must have an owner.
2. Each owner determines access rights and permissions for each object

Question 4

Describe MAC

Answer 4

Mandatory Access Control is a model where the computer system determines the access control for a user.

MAC relies on security labels being assigned to every user (subject) and every file/folder/device or network connection (object)

Question 5

What is a security label

Answer 5

A label assigned to a subject or object within MAC. Data labels create trust levels for all subjects and objects, and to access objects you must meet the minimum or greater trust level.

Question 6

How is MAC implemented

Answer 6

MAC used rule based and lattice based access control methods. Both are sub access control methods that rely on data labels.

Question 7

Describe Rule Based AC

Answer 7

A SUB Access Control of MAC

Label based access control that defines whether access should be granted or denied to objects by comparing the object label and subject label

Question 8

Describe LBAC

Answer 8

A SUB Access Control of MAC

Lattice based Access control - utilizes complex mathematics to create sets of object and subjects that define how they interact.

Question 9

True or False: MAC is an industry best practice

Answer 9

False: MAC is only used in high security environments due to its complex and expensive configuration

Question 10

True or False: MAC is a feature in FreeBSD and SeLinux

Answer 10

True

Question 11

Describe ABAC

Answer 11

Attribute based access control is a dynamic and context aware model that uses if then statements with Tags and dynamic authentication.

Question 12

Describe Role Based Access Control RBAC

Answer 12

Role Based Access Control

Model that is controlled by the system but utilized a set of permissions instead of a single data label to define permission levels.

Access based on job function is RBAC

**Power User accounts are RBAC Permissions

Question 13

What are the best practices for Access Control

Answer 13

Implicit deny
Least Privilege
Separation of Duties
Job Rotations

Question 14

Explain Implicit deny and least privilege

Answer 14

Implicit deny - All resources should be denied by default and only allowed when explicitly stated.

Least Privilege - Users should have he lowest level of access needed to perform their job function - similar to “Need to Know” aspect of MAC.

Question 15

Explain Separation of Duties and Job Rotations

Answer 15

Separation of duties
includes requiring more than one person to conduct sensitive tasks or operations.
An example would be an admin having both a Standard user account and a power user account.

Job Rotation -
Users are cycled between jobs to learn operations reduce burnout and boredom.

Helps employees learn new skills in addition to identifying theft and fraud.

Question 16

True of False: OUs in ADUC are made to mimic major departments within in an organization

Answer 16

True

Question 17

List the permissions in windows from highest privilege to lowest.

Answer 17

Full Control
Modify
Read + Execute
List folder contents
Read
Write

Question 18

True or False: AD Groups can contain Groups?

Answer 18

True

Question 19

What is a group

Answer 19

collection of users based on common attributes (generally work roles)

Question 20

In Linux, what are the levels of access, and what are the letters for Owners, groups, and all users?

Answer 20

Read, Write, Execute

Owners - U
Groups - G
All users - A or O

Question 21

What is CHMOD

Answer 21

Program in Linux used to change the permissions or rights of a file or folder using a short hand numbering system.

Question 22

What are the numbers associated to Read, Write and Execute for CHMOD and how are the numbers organized in the CLI

Answer 22

Read = 4
Write = 2
Execute = 1
No access = 0

in the CLI it is Owner (U), Group(G), All Users(A or O)

Question 23

What does CHMOD 777 grant

Answer 23

It grants full access to Owners, Groups, and all users

Question 24

What does CHMOD 760 grant

Answer 24

Grants full access to owners, Read\Write to the group, and no access to all users.

Question 25

What is privilege creep?

Answer 25

occurs when users get additional acess over time as they move through roles.

VIOALATES PLOP

Question 26

What is User Access Recertification?

Answer 26

Process when each user’s rights and permissions are re-validated to ensure they are accurate.

Question 27

When should User Access Re-certification occur?

Answer 27

When users are hired, fired, or promoted

Question 28

True or False Permission inheritance will occur by default when a new folder is creted

Answer 28

True, any permission added or removed from the parent folder will be passed on to any child folders

Question 29

What is permission propagation

Answer 29

Occurs when permissions are passed to a subfolder from the parent through inheritance

Question 30

True or False: Adding users discretionarily to a folder via NTFS security settings is a best practice

Answer 30

False, users should belong to groups that have access to folders via NTFS security tab settings.

Question 31

FYI

Answer 31

If you copy a folder, the permissions of that folder are inherited from the parent folder that it is copied to.

IF you MOVE a folder,. then permissions are retained form its original permissions.

Question 32

What is the minumum password length Comptia wants

Answer 32

8

Question 33

What are the password best practices

Answer 33

1. Force PW resets from default password, when new accounts are created
2. Require frequent password resets (90 days)
3. Always change default or admin passwords
4. Disable built-in Guest account in Windows.
5. Use strong password policies.

Question 34

What is the UAC

Answer 34

User Account Controls - Security component inside of windows that keeps ever users account running inside of standard privilege until an action is performed that requires privilege escalation.

It can be disabled from the control panel