Chapter 10 - Access Control Methods and Models

¡Supera tus tareas y exámenes ahora con Quizwiz!

ADUC

Active Directory® Users and Computers is a Microsoft Management Console (MMC) snap-in that you can use to administer and publish information in the directory.

implicit deny

Denies all traffic to a resource unless the users generating that traffic are specifically granted access to the resource. For example, when a device denies all traffic unless a rule is made to open the port associated with the type of traffic desired to be let through.

DAC

Discretionary access control (DAC) is an access control policy generally determined by the owner. Objects such as files and printers can be created and accessed by the owner. Also, the owner decides which users are allowed to have access to the objects, and what level of access they may have. The levels of access, or permissions, are stored in access control lists (ACLs).

Copying Folders and Files

If you copy a folder (or file) on the same volume or to a different volume, the folder inherits the permissions of the parent folder it was copied to (target directory).

Moving Folders and Files

If you move a folder (or file) to a different location on the same volume, the folder retains its original permissions. (You cannot move a folder to a separate volume; if you attempt to do so it will automatically be copied to the other volume.)

MAC

Mandatory access control (MAC) is an access control policy determined by a computer system, not by a user or owner. Permissions are predefined in the MAC model. The MAC model defines sensitivity labels that are assigned to subjects (users) and objects (files, folders, hardware devices, network connections, and so on). An object's label dictates what level of clearance is needed to access it, also known as a trust level (this is also known as data labeling).

Use policies

Policies governing user accounts, passwords, and so on can help you to enforce your rules.

Ctrl+Alt+Del

Pressing Ctrl+Alt+Del before the logon adds a layer of security to the logon process. This can be added as a policy on individual Windows computers. It is implemented by default with computers that are members of a domain.

RBAC

Role-Based Access Control (RBAC) is an access model that, like MAC, is controlled by the system, and, unlike DAC, not by the owner of a resource. However, RBAC is different from MAC in the way that permissions are configured. RBAC works with sets of permissions, instead of individual permissions that are label-based. A set of permissions constitutes a role. When users are assigned to roles, they can then gain access to resources. A role might be the ability to complete a specific operation in an organization as opposed to accessing a single data file.

MAC RBAC

Rule-based access control: Also known as label-based access control, this defines whether access should be granted or denied to objects by comparing the object label and the subject label.

Windows Server domain controller can be configured by completing the following steps

Step 1. Access the domain controller. Step 2. Create an MMC. Step 3. Add the Default Domain Policy to the MMC. (Done by adding a Group Policy Object Editor snap-in.) Step 4. In the Default Domain Policy, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. The Default Domain Policy affects all users.

Verify that the Guest account (and other unnecessary accounts) is disabled

This can be done by right-clicking the account in question, selecting Properties, and then selecting the checkbox named Account Is Disabled.

separation of duties (SoD)

This is when more than one person is required to complete a particular task or operation.

TCSEC

Trusted Computer System Evaluation Criteria (TCSEC) A DoD standard that sets basic requirements for assessing the effectiveness of computer security access policies. Also known as The Orange Book.

MAC Lattice-based access control

Used for more complex determinations of object access by subjects. Somewhat advanced mathematics are used to create sets of objects and subjects and define how the two interact.

UAC

User Account Control (UAC) is a security component of Windows that keeps every user (besides the actual Administrator account) in standard user mode instead of as an administrator with full administrative rights. UAC was created with two goals in mind: * To eliminate unnecessary requests for excessive administrative-level access to Windows resources * To reduce the risk of malicious software using the administrator's access control to infect operating system files

Least privilege

When a user is given only the amount of privileges needed to do his job.

Job rotation

When users are cycled through various assignments. This is one of the checks and balances that might be employed to enforce the proper separation of duties. Job rotation is when users are cycled through various assignments to * Increase user insight as to overall operations * Reduce employee boredom * Enhance employee skill level * Increase operation security Job rotation creates a pool of people that can do an individual job and discourages hoarding of information. It also helps to protect the purity of an operation.

ACL

access control list (ACL): access control list (ACL) A list of permissions attached to an object. ACLs specify what level of access a user, users, or groups have to an object. When dealing with firewalls, an ACL is a set of rules that applies to a list of network names, IP addresses, and port numbers.

Activate Administrator account

net user administrator /active:yes


Conjuntos de estudio relacionados

MGMT 329 CH 6 RECRUITING 6.1-6.7

View Set

Organizational Behavior - Exam 1

View Set

Chapter 15 Pre-Lecture Questions

View Set

Preguntas de la semana 2.2 Spanish 1

View Set

Russian 225 Подготовка к контрольной работе (Урок 6)

View Set

Overview of the Nursing Process-Sherpath

View Set

OB Chapt 11 Maternal Adaptation During Pregnancy

View Set