Security+All-In-One Edition

Chapter 19 – Privilege Management

Brian E. Brzezicki

Access ControlThere are a few methods of restricting access

to a system, we will talk about in this chapter

• DAC

• MAC

• Role Based

• Rule Based

Discretionary Access Control ()

Concept that a “data owner” are allowed authorize access to subjects. This is based on their discretion.

• Most commercial solutions implement Discretionary Access Control

• ACLs are a common implementation of access controls in Discretionary systems

Discretionary access control

User Based

User Based – a DAC method where every user is assigned a unique ID.

Permissions are granted to each individual user. If a user has permissions to a resource.. They can access it.

Advantages?

Problems?

Group Based

A DAC method where groups are created. Users are placed in Groups. Permissions are given to groups.

If a user is in a group that has permission to a resource.. Then that user has permission to the resource

Advantages?

Problems?

Group Based Access Control

Combination of Access

When you have user and group based access control, often groups AND users both are assigned permissions to resources. And the total combination of permissions are your effective permissions.

Example: John has Read access to file1.txtJohn is a member of managers, which has write

access to file1.txtJohns effective access is: read + write

UnixUnix uses a “bit map” of permissions. The main

permissions are• Read • Write• Execute

And these permissions can be assigned to 3 categories: Owner, Group, All Others

Ex. (see next page)Owner Group OthersRWX R-W ---

Unix Permissions

Windows PermissionsWindows uses Access Control Lists (also called NTFS

permissions)

ACLs are a much more flexible model that allows you to assign ANY combination of permissions to any Combination of users and groups.

(more)

Windows ACLsThe basic permissions ACL permissions are

• Full Control

• Modify

• Read

• Read and Execute

• Write

Windows ACLsWindows ACLs are additive

Joe is a member of the managers groupJoe is a member of the IT group

file1.txtmanager = read, writeIT = read

What are Joes “effective” permissions to file1.txt?

Windows No access permissionNo access is a special permissions in windowsIt NULLIFIES all other permissions.

Joes is a member of managersJoe is a member of ITfile1.txt:

managers = full controlit = read

joe = denyWhat is Joes effective permissions?

MAC

Mandatory Access ControlMandatory Access Control, means that the

system is configured with a set of RULES for access and strictly enforce them. The Data Owner is not able to arbitrarily set permissions for users or groups.

Military system use MAC system, usually in a “clearance level” model

(more)

MAC and clearancesClearance Levels – data is classified into a level by the

data owner• Top Secret – exceptionally grave damage to

national security• Secret – serious damage to national security• Confidential – damaging national security• Unclassified – public

(more)

MAC and clearancesNow users are given a clearance level

For example: Bob has secret clearance

If bob want to access a document, the OS looks at the documents classification and Bobs clearance level

Bob only will get access if his clearance “dominates”.

Example question 1Budget.txt

classification: secret

Bob Clearance: top secret

Can bob read the file budget.txt?

Example question2super-secret-file.txt

classification: Top Secret

Bob Clearance: secret

Can bob access the file “super-secret-file.txt?”

Role Based Access Control (546)Access to resources are given to job positions

or “roles”. Users are assigned to roles, and then they have the access rights that the roles have.

• Much more scalable model than individually signing permissions

• Avoids Authorization Creep

• Great for large companies

• Great if there is a lot of turn over

Rule BasedThe Decision to grant access to an item is based on a

set of rules, (yes or no questions)

Example: You may access a file IF• You are in the management group• The time is between 9AM-5PM Monday-FridayFirewalls use rule based access control to analyze a

packet and see if should be allowed based on the “firewall rules”

Advantages:• Very flexible type of control• Can be combined with other types of access

controls

Auditing

AuditingIf you are going to bother to protect a resource.

You should enable auditing on the resource

• You should check the audit logs to determine who is accessing what

• See if people are accessing things they don’t really need (then remove permissions)

• See if people are accessing things “too much” • Determine if people access is not sufficient for

their job requirements

Audit Files and LogsUnix/Linux – Syslog (framework)

Windows – Event Viewer (see next slide)

Applications – Specific log files for application.

• Firewall logs

• Anti-virus logs

• Database logs

• Web server logs

• Mail server logs

• DNS server logs

Event Viewer

Open up event viewer if you’ve never used it before, and look around!

Chapter 19 - ReviewQ. What is role based access control

Q. What is MAC? Where is it usually used?

Q. What is DAC? Where is it usually used?

Q. What is rule based access control?

Chapter 19 - ReviewQ. should user IDs be shared?

Q. Why is auditing necessary?

Q. What types of access control does windows 2000+ server use for files and directories?

Q. What are the 3 Unix access permissions, What are the 3 different “components” they can be applied to?