Access Control Flashcards
What are the four Access Control Models
MAC (Mandatory AC) , DAC (Discretionary AC), RBAC (Role Based AC), ABAC (Attribute Based AC)
Describe DAC
Discretionary Access Control is when the Access control policy is determined by the owner of the network resource.
When a folder is created by a user, they have the ability to choose who has access to the folder and what level of access they have
What are the requirements of DAC
- Every object in a system must have an owner.
- Each owner determines access rights and permissions for each object
Describe MAC
Mandatory Access Control is a model where the computer system determines the access control for a user.
MAC relies on security labels being assigned to every user (subject) and every file/folder/device or network connection (object)
What is a security label
A label assigned to a subject or object within MAC. Data labels create trust levels for all subjects and objects, and to access objects you must meet the minimum or greater trust level.
How is MAC implemented
MAC used rule based and lattice based access control methods. Both are sub access control methods that rely on data labels.
Describe Rule Based AC
A SUB Access Control of MAC
Label based access control that defines whether access should be granted or denied to objects by comparing the object label and subject label
Describe LBAC
A SUB Access Control of MAC
Lattice based Access control - utilizes complex mathematics to create sets of object and subjects that define how they interact.
True or False: MAC is an industry best practice
False: MAC is only used in high security environments due to its complex and expensive configuration
True or False: MAC is a feature in FreeBSD and SeLinux
True
Describe ABAC
Attribute based access control is a dynamic and context aware model that uses if then statements with Tags and dynamic authentication.
Describe Role Based Access Control RBAC
Role Based Access Control
Model that is controlled by the system but utilized a set of permissions instead of a single data label to define permission levels.
Access based on job function is RBAC
**Power User accounts are RBAC Permissions
What are the best practices for Access Control
Implicit deny
Least Privilege
Separation of Duties
Job Rotations
Explain Implicit deny and least privilege
Implicit deny - All resources should be denied by default and only allowed when explicitly stated.
Least Privilege - Users should have he lowest level of access needed to perform their job function - similar to “Need to Know” aspect of MAC.
Explain Separation of Duties and Job Rotations
Separation of duties
includes requiring more than one person to conduct sensitive tasks or operations.
An example would be an admin having both a Standard user account and a power user account.
Job Rotation -
Users are cycled between jobs to learn operations reduce burnout and boredom.
Helps employees learn new skills in addition to identifying theft and fraud.
True of False: OUs in ADUC are made to mimic major departments within in an organization
True
List the permissions in windows from highest privilege to lowest.
Full Control
Modify
Read + Execute
List folder contents
Read
Write
True or False: AD Groups can contain Groups?
True
What is a group
collection of users based on common attributes (generally work roles)
In Linux, what are the levels of access, and what are the letters for Owners, groups, and all users?
Read, Write, Execute
Owners - U
Groups - G
All users - A or O
What is CHMOD
Program in Linux used to change the permissions or rights of a file or folder using a short hand numbering system.
What are the numbers associated to Read, Write and Execute for CHMOD and how are the numbers organized in the CLI
Read = 4
Write = 2
Execute = 1
No access = 0
in the CLI it is Owner (U), Group(G), All Users(A or O)
What does CHMOD 777 grant
It grants full access to Owners, Groups, and all users
What does CHMOD 760 grant
Grants full access to owners, Read\Write to the group, and no access to all users.
What is privilege creep?
occurs when users get additional acess over time as they move through roles.
VIOALATES PLOP
What is User Access Recertification?
Process when each user’s rights and permissions are re-validated to ensure they are accurate.
When should User Access Re-certification occur?
When users are hired, fired, or promoted
True or False Permission inheritance will occur by default when a new folder is creted
True, any permission added or removed from the parent folder will be passed on to any child folders
What is permission propagation
Occurs when permissions are passed to a subfolder from the parent through inheritance
True or False: Adding users discretionarily to a folder via NTFS security settings is a best practice
False, users should belong to groups that have access to folders via NTFS security tab settings.
FYI
If you copy a folder, the permissions of that folder are inherited from the parent folder that it is copied to.
IF you MOVE a folder,. then permissions are retained form its original permissions.
What is the minumum password length Comptia wants
8
What are the password best practices
- Force PW resets from default password, when new accounts are created
- Require frequent password resets (90 days)
- Always change default or admin passwords
- Disable built-in Guest account in Windows.
- Use strong password policies.
What is the UAC
User Account Controls - Security component inside of windows that keeps ever users account running inside of standard privilege until an action is performed that requires privilege escalation.
It can be disabled from the control panel
