Ch.8 - Access Control

Question 1

Access Control Models

Answer 1

Method to determine what privileges are and are not associated with each user (in Authorization system)

Question 2

Discretionary Access Control (DAC)

Answer 2

Owner of each controlled object decides who can access it
and what permissions they have
o Used by Windows - Common in Unix OS, but widely used in other business apps
o Typical DAC system: every file/folder/resource has owner
▪ Owner sets access permissions by editing access control list (ACL)

Question 3

Mandatory Access Control (MAC)

Answer 3

Admins assign security classifications, or labels, to each user and each resource - User can only access given resource if their labels are compatible
o Mainly used in military or high-security environment
o Centrally managed by admins
o Main model: Bell-LaPadula Model – Compare clearance level to resource’ sensitivity
▪ Simple Security Property states that subject at a given security level may not
read object at higher security level (but can write)
▪ The “*” (star) Security Property states that subject at given security level may not write to any object at lower security level

Question 4

Role-Based Access Control (RBAC1)

Answer 4

Admins define permissions and centrally control (MAC),
but users are assigned to one or more roles and not clearance levels (ex: job functions)
o Each role has list of permissions
o Popular in commercial app/military system
▪ Like DAC: Allows access to be permitted for individual resources on more flexible level (perform most functions of DAC or MAC)
▪ Unlike DAC: No strict concept of ownership, and doesn’t store permissions on each object

Question 5

Rule-Based Access Control (RBAC2)

Answer 5

Access determined by set of rules (static, dynamic, or triggered by other events) configured by admins
o Used to describe multiple, mutually exclusive approaches
▪ Like DAC: Uses list of rules configured in an ACL
▪ Unlike DAC: Stored on system/device (routers) controlled by admin

Question 6

Attribute-Based Access Control (ABAC)

Answer 6

Applies security attributes to resources, users, and env
then defines policies governing combinations of those attributes
o Sometimes called a “next-generation” access control because of its flexibility
o Every time access is requested, system evaluates it according to set of policies defined by admin (Boolean evaluations – involve coding – can be complex)

Question 7

Conditional Access

Answer 7

Boolean policy-based access allowing admins to define policies that determine whether user can access resource or require different authentication conditions

Question 8

Time and Location-Based Access Control (TLBAC)

Answer 8

Based on location/time of request

Question 9

Geolocation

Answer 9

Either general term for technologies that determine geographic location, or specific technique of using IP address to determine physical location via routing information and internet registries – popular for region-based content

Question 10

Geofencing

Answer 10

Use of GPS, RFID, cellular, or Wi-Fi data to identify the location of a mobile device and compare it to a virtual fence around a defined area – use location to make decision

Question 11

Geotagging

Answer 11

Application feature allowing location data to be embedded in photo, message, online post, or any other kind of file or communication – mainly implemented in mobile technologies

Question 12

The Identity Life Cycle (Identity and Access Provisioning Life Cycle)

Answer 12

Steps a given account passes through to gain access– Depends on org, but mainly follow this cycle

Question 13

Account Types

Answer 13

Allow for customizable permissions of given account

• User
• Privileged
• Shared/Generic
• Guest
• Service

Question 14

User

Answer 14

• Ordinary accounts for authenticated users
• Usually have permission to perform everyday tasks and access information suitable to the user’s job role
• Don’t have access to administrative functions or sensitive data outside user’s specific job role

Question 15

Privileged

Answer 15

• Accounts with access to resources ordinary users do not, including but not limited to administrator accounts
• For example: Help desk worker might be able to reset passwords for user accounts, but not change more critical security settings

Question 16

Shared/Generic

Answer 16

• Accounts used by multiple people rather than a specific assigned user
• Lack of accountability makes shared accounts a poor security practice, but sometimes valuable
• Reception desk with frequent staff changes might benefit from a shared account, or a public kiosk with limited permissions anyway
• Even if multiple people use it, the account should still be assigned to a person responsible for maintaining it, and its activities should still be monitored

Question 17

Guest

Answer 17

• Accounts for guests or visitors, typically more restricted than user accounts.
• For example: Guest account on a network might have access to the internet but not shared local resources
• Guest accounts may be shared or individual
• Temporary employees who need the same access as permanent ones might be assigned temporary user accounts instead of guest accounts

Question 18

Service

Answer 18

• Account associated with app or service that needs to interact with system
• For example: Web server or DBMS will have a service account that can own and access resources just like if it was a user, but independent of whatever user installed or ran service

Question 19

Identity Proofing

Answer 19

Process of verifying identification before issuing credentials (credential management)

Question 20

Reviewing Access Privileges

Answer 20

Review account permissions

1. Apply permissions on least privilege basis – Each acc should be assigned to user with valid reason to access system, and given limited privileges based on expected work duties
2. Privileged acc should receive extra scrutiny due to their increased risk profile
3. Periodically review acc permissions and contrast them with associated subject’s regular duties
4. Review acc activity to look for signs of intrusion or other suspicious behavior, with additional scrutiny for privileged users like administrators

Question 21

Active Directory User Management

Answer 21

• Active Directory defines several types of objects (some are security principal)
• Always has its own SID for controlling permissions
• Objects can be separated into container objects (can hold other objects) and leaf objects (can’t)
• Domain users and computers are both principals and leaf objects
  o Every domain has at least an Administrator and Guest user
• Groups are container objects which can hold users, computers, and other groups
• There are two types of groups:
  1) Security groups are principals used to centrally manage rights and permissions
  2) Distribution groups are non-principals primarily used to create email lists in Exchange

Question 22

Group Scopes

Answer 22

Assigning permissions to groups is much more efficient and secure than assigning same permissions to every user
▪ Use Domain Local Groups when you assign permissions to resources on local domain
▪ Use Global Groups to organize users sharing similar permissions needs
o Don’t assign permissions directly to global group—add global group to a domain local group with necessary permissions

▪ Use Universal Groups for nesting global groups from different domains – Can give single user or group permissions from multiple domains

Question 23

Group Policies

Answer 23

Establish security baselines and enforcing user permissions in Windows – Allows you to centrally control how users can access Windows features and resources

In Active Directory, you can set separate group policy
objects (GPOs) for sites, domains, or OUs using Group Policy Management Editor

GPOs allow you to change thousands of settings affecting all sorts of windows functions

1. Computer Configuration
2. User Configuration

Question 24

Managing Group Policies

Answer 24

When multiple GPOs apply, Windows processes them in following order, meaning that each subsequent GPO overrides the one before
- Multiple GPOs can make security challenging (weak security can override strong settings)

1) Local GPO (set on the current computer)
2) Site GPO
3) Domain GPO
4) Organizational unit GPO
5) Child OU GPO

Question 25

Managing Accounts

Answer 25

▪ Define a user policy with restrictions and best practices
▪ Enforce those policies with technological controls
▪ Continuously review both security logs and user access settings to verify that enforcements are secure, and users are in compliance

Question 26

Provisioning Accounts

Answer 26

▪ Choose user names carefully according to standard naming convention – Keep the needs of various elements of security and usability in mind when assigning them
▪ Where possible, assign permissions to groups rather than individual accounts – Easier to add/remove group members than to make permissions changes to multiple accounts
▪ Where possible, avoid use of generic accounts (guest accounts or any others shared by multiple users) - Convenient, but harder to monitor, individually log, and keep secure
▪ Assign administrators two accounts apiece: administrator account for tasks requiring escalated privileges, and standard user account for all other work
▪ When giving multiple accounts to single user, ensure that each account has separate password (someone gaining access to one gain access to all)

Question 27

Securing Accounts Access

Answer 27

▪ Allow users to choose their own passwords (don’t ask them to tell you) – When you must reset a password, choose secure temporary one and require it to be changed on next login
▪ In addition to configuring a minimum length, you can enforce complexity requirements such as requiring mix of uppercase, lowercase, numbers, and special characters (Setting maximum password length is not recommended, unless it can’t be supported for technical reasons)
▪ If possible, configure identity systems to test all passwords against a dictionary of weak or compromised passwords, and deny weak options
▪ NIST recommends passwords be changed when you believe account has been compromised, but not on scheduled basis (many systems still allow a maximum password age)
▪ To prevent password reuse, configure password history that tracks previous passwords – A minimum password age prevents users from cycling quickly through entire history
▪ Users are most likely to use long, strong passwords when they don’t have to remember them individually for each account – To encourage that, use credential management software
▪ Configure lockout policy that will block access to account after successive failed logins – Most secure lockouts require administrative override to unlock (can also use a time-based delay)
▪ Use additional security policies supported by your access control systems (ex: geolocation, time-based access, or conditional access)

Question 28

Auditing User Accounts and Deprovisioning

Answer 28

▪ Ensure auditing logs are enabled and review them regularly – Required frequency depends on system and its level of sensitivity
▪ Disable accounts when they are no longer needed (Deprovisioning)
▪ Regularly review and recertify active accounts to ensure they have all permissions they need, but no more
▪ If auditing and automation tools built into Active Directory or any other account management system aren’t sophisticated enough to meet your needs, look into third-party scripts or tools