Lesson 8 Identity and Access Control Management

Question 1

Access Control Schemes

Answer 1

DAC - Discretionary Access Control

RBAC - Role Based Access Control

MAC - Mandatory Access Control

ABAC - Attribute Based Access Control

Question 2

DAC

Answer 2

Discretionary Access Control

• Owner of a file has all the power
• No centralized point of management
• Owner centric, User defined
• Not rule based
• Used on local file storage on NTFS

Question 3

MAC

Answer 3

Mandatory Access Control

• Objects are given sensitivity labels
• Subjects are given clearance labels
• Centralized point of management
• System defined, very rigid
• Rule based
• Used by Trusted OS like SE Linux
• ex app armor to assign profiles

Question 4

RBAC

Answer 4

Role-Based Access Control

• Permissions are given to roles
• Users inherit permissions from the role they are given
• Centralized point of management
• Eases permission management for organizations
• Rule Based
• Similar to group based permission management
• used where content is king, like a blogging site, web site etc

Question 5

ABAC

Answer 5

Attribute-Based Access Control

• Limits access based off of any attribute of an object/file
• File extension, time, size, content, location, etc
• Centralized point of management
• Verify flexible but can become overly complex
• May slow down system
• Weighs a particular situation using attributes and is session aware
• ex. Inability to use sudo or WSL for certain privileged users
• ex User Account Control (UAC)

Question 6

GPO

Answer 6

Group Policy Objects
Windows Active Directory network configuration of access policies
- configures access rights for user/group/role accounts
- can be linked to administrative boundaries in Active Directory such as domains, and Ogr Units (OUs)

Question 7

Federation and Attestation

Answer 7

Federation means that the company trusts accounts created and managed by a different network
- like using google account -Identity Provider (IdP)- as login credentials to a third party site, like Twitter -Service Provider (SP)-

• Attestation is vouching for another

1. user contacts SP, SP redirects user to IdP to authenticate
2. user authenticates with IdP and gets an Attestation of identity, like a token or IdP signed document
3. User presents attestation document to SP. SP can use this due to trust relationship with IdP
4. SP can now connect with user

Question 8

SAML

Answer 8

Security Assertions Markup Language

• provides a means for federated networks and cloud providers to provide user identity assertions and transmit attestations between the user and IdP
• uses xml for the assertions
• signed by the XML signature specification
• utilizes Simple Object Access Protocol (SOAP) and HTTP (tcp over 80)/HTTPS(tcp over 443) to communicate the attestations

Question 9

OAuth and OpenId Connect

Answer 9

A better solution than SAML and SOAP for mobile devices
- Uses RESTful APIs

OAuth - Open Authentication Standard
- used for federated identity management, allowing resource servers or consumer sites work with user accounts created and managed on a separate identity provider

OpenID Connect (OIDC)
-an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields

Question 10

Service Accounts (Windows)

Answer 10

System - has most privileges

Local Service Account - same privileges as the standard user account, can only access the network as an anonymous user

Network Service Account - same privileges as the standard user account but can present the computers account credentials to access the network resources