CH20 Access Control Flashcards
What is DAC access control model?
DAC = Discretionary Access Control
the owner of the file / folder determines access control.
Used most commonly.
Used by Windows
What is MAC access control model?
MAC = Mandatory Access Control
the computer system determines the access control for an object.
It relies on security labels being assigned to every user (called a subject) and every field/folder/device or network connection (called object).
Data labels create trust levels for all subjects and objects.
To access something you need to meet the minimum level and have “need-to-know”
It is a feature in FreeBSD & SELinux… only in high security systems due to its complex configuration
MAC is implemented through the Rule-based and the Lattice-based access control methods
For the exam: remember that lattice and rule-based are both types of Mandatory Access Control.
What is Rule-based Access Control ?
Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label
For the exam: remember that lattice and rule-based are both types of Mandatory Access Control.
What is Lattice-based Access Control ?
Utilizes complex mathematics to create sets of objects and subjects to define how they interact.
For the exam: remember that lattice and rule-based are both types of Mandatory Access Control.
What is RBAC access control model?
RBAC = Role-Based Access Control
Access model that is controlled by the system (like MAC) but utilizes a set of permissions instead of a single data label to define the permission level. We set permissions based on the job function
Power Users – is a role-based permission
What is ABAC access control model?
ABAC = Attribute Based Access Control
an access model that is dynamic and context-aware using IF-THEN statements
What is one of the best access control practices called Implicit Deny?
All access to a resource should be denied by default and only be allowed when explicitly stated
What is one of the best access control practices called Least Privilege?
Users are only given the lowest level of access needed to perform their job functions
What is one of the best access control practices called Separation of Duties?
requires more than one person to conduct a sensitive task or operation. It can also be implemented by a single user with a user and admin account, forcing the user to log in as admin to do admin related duties. Less of a chance to malware to spread
What is one of the best access control practices called Job Rotation?
occurs when users are cycled through various jobs.
Mandatory vacation is another form of job rotation
What is ADUC ?
ADUC = Active Directory Users and Computers.
It is a program in Windows where you can explore all the users, the groups, and the computers.
For a large company, you can create a new user within the Organizational Unit (OU) within Active Directory.
What are the user chmod permissions?
R (read) = 4
W (write) = 2
X (Execute) = 1
For the Exam: you’ll be given a chmod command, and you’ll have to be able to figure out what permission each person has.
What is Privilege Creep?
occurs when a user gets additional permission over time as they rotate through different positions or roles.
Privilege Creep violates the principle of least privilege.
To prevent privilege creep, we have User Access Recertification – process where each user’s rights and permissions are revalidated to ensure they are correct
What is UAC ?
UAC = User Account Control
A security component in Windows that keeps every user in standard user mode instead of acting like an administrative user.
