Access Controls Chapter 2

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

There are two types of permissions used in NTFS:

- Explicit permission - Permissions granted directly to the file or folder. - Inherited - Permissions that are granted to a folder that flow into a child objects.

In Windows Active Directory, there are there are two types of groups:

- Security Groups can be given rights/permissions - Distribution Groups think email list

A user can authenticate using one or more of the following methods:

- What a user knows such us a using a password or Personal Identity Number (PIN). - What a user owns or possesses such as a passport, smart card or ID-card. - What a user is usually using bio metric factors based on fingerprints, retinal scans, voice input or other forms.

NTLM is the

- default authentication protocol for Windows NT, stand-alone computers that are not part of a domain or when you are authenticating to a server using an IP address. - acts a fall-back authentication if it cannot complete Kerberos authentication such as being blocked by a firewall. - uses a challenge-response mechanism for authentication, in which clients are able to prove their identities without sending a password to the server.

Rule-based access control

A list of rules, maintained by the data owner, determines which users have access to objects. Think firewall

3 issues with Biometrics

Accuracy Acceptability Reaction time

Actions

Activities that authorized users can perform on the resources.

Users

People who use the system.

Resources

Protected objects in the system. Resources can be accessed only by authorized subjects. Resources can be used only in authorized manners.

Identification

The method a subject/user requests access to a system or resource

Authorization

The process of determining who is approved for access and to what

Authentication

The validation that the subject is who they say they are is

Access control provides:

a set of resources available to the authenticated identity.

Since a digital certificate is used to prove a person's identity, it can be used for

authentication.

The digital certificate is an

electronic document that contains an identity such as a user or organization and a corresponding public key.

What authentication type is the default for Active Directory? a. MS-CHAP b. MS-CHAPv2 c. Kerberos d. NTLM

c. Kerberos

Access controls can be

logical or physical

A server that is not running as a domain controller is known as a

member server

Access Control

- The process of protecting a resource so that it is used only by those allowed to do so - Prevents unauthorized use - Supports C-I-A

AAA is a model for access control

- authentication - authorization - auditing

Asynchronous

1. The user initiates a logon request. 2. The authentication server provides a challenge to the user. 3. The user enters the challenge received from the server and a secret PIN known only to the user into the calculation device. 4. The token (or program) generates the response (the password) to the challenge, which appears in the window of the token. 5. The user provides the correct password to the authentication server. 6. Access is granted.

Integrity

defined as the consistency, accuracy, and validity of data or information.

Security and authentication is based on secret key technology where every host on the network has its own secret key.

Kerberos

Relationships

Optional conditions that exist between users and resources. Relationships are permissions granted to an authorized user, such as read, write, execute.

Auditing

Process of creating policies and logs to track and validate access control actions

Synchronous

Time based, Event Based, Continuous

A domain controller is

a Windows server that stores a replica of the account and security information of the domain and defines the domain boundaries.

Security kernel provides

a central point of access control and implements the reference monitor concept

A group is

a collection or list of user accounts or computer accounts.

object

a distinct, named set of attributes or characteristics that represent a network resource. - users - computers

A smart card is

a pocket-sized card with embedded integrated circuits consisting of non-volatile memory storage components, and perhaps dedicated security logic.

Authenticated Users is

a pseudo-group, it includes both Local PC users and Domain users.

Any group is characterized by

a scope that identifies the extent to which the group is applied in the domain tree or forest.

A personal identification number (PIN) is

a secret numeric password shared between a user and a system that can be used to authenticate the user to the system.

A password is

a secret series of characters that enables a user to access a file, computer, or program.

What are the two major off-line attacks used to break passwords Pick Two a. Brute-Force b. Dictionary c. Sniffers d. Social Engineering

a. Brute-Force b. Dictionary

Best practices for creating strong passwords (Select all the apply) a. Minimum of 8 charaters b. Include username c. Use special characters whenever possible d. Use upper and lower case letters

a. Minimum of 8 charaters c. Use special characters whenever possible d. Use upper and lower case letters

Since a smart card can be stolen, some smart cards will not have

any markings on it so that it cannot be easily identified on what it can open.

Access control defined by group or job function is called a. Role-BAC b. MAC c. DAC d. Rule-BAC

a. Role-BAC

An administer needs to grant users access to different servers based on their job functions. Which Access Control model is the BEST choice to use? a. Role-Based Access Control b. Mandatory Access Control c. Non-Discretionary Access Control d. Discretionary Access Control

a. Role-Based Access Control

Access control model where data owner establish guides/ rules that specifies privileges granted. a. Rule-BAC b. Role-BAC c. DAC d. MAC

a. Rule-BAC

When you create a local user on a computer running in Windows 10, where is the user account stored? a. SAM b. SQL database c. Active Directory d. PAN

a. SAM

Kathy is logging into her social media account on line. She enters her user id and password. The network server then asks her to submit a key token number. She looks at the number on her USB token and sends back the number. She must be careful to enter the number correctly, because the number on her USB token changes every minute. What access control methods are being used? (Check all that apply) a. Synchronous b. Asynchronous c. MAC d. Two-factor Authentication

a. Synchronous d. Two-factor Authentication

Non-discretionary access control

are closely monitored by the security administrator, and not the system administrator.

The Kerberos Key Distribution Center Server provides two key functions. They are (pick two) a. Ticket-Granting Server b. Cryptokey Management Server c. Logging Server d. Authentication Server

a. Ticket-Granting Server d. Authentication Server

To keep track of which user can access an object and what the user can do is stored in the

access control list (ACL)

A list that specifies which subjects are allowed to access an object and what operations they can perform on it is referred to as a(n): a. ACE b. ACL c. DAC d. entity

b. ACL

Full, Modify, read-execute, read, write are explains of permissions that might be on a(n) a. Sharing Folder b. Access Control List c. Entry Control List d. Authentication List

b. Access Control List

Availability

describes a resource being accessible to a user, application, or computer system when required.

Which is the least stringent version of Access Control a. Role-BAC b. DAC c. Rule-BAC d. MAC

b. DAC

Access controls cannot be implemented in various forms, restrictions levels, and at different levels within the computing enviroment a. True b. False

b. False

Before authorization can occur, the identity of the account attempting to access a resource must be

determined

In Centralized Access Control authenication is applied through the use of AAA servers. Select the benefits of the type of implemenation. Select all thay apply a. Flexibility b. Less Administration time c. Reduced Design Errors d. Consistent application of Access Control Policies

b. Less Administration time c. Reduced Design Errors d. Consistent application of Access Control Policies

Method of Access Control where objects have labels. Access is set by the system AND data owner a. DAC. b. MAC c. Roll-BAC d. Rule-BAC

b. MAC

Your organization host several classified systems in your data center. Management wants to increase security with these systems by using two factor authentication. You want to restrict access only to employees have a 'need to know'. Which of the following choices should management implement for authorization? a. Rule Based Access Control b. Mandatory Access Control c. Username and Password d. USB token and Pin

b. Mandatory Access Control

12. Which of the following uses an ACL? (Choose all that apply.) a. Logon rights b. NTFS folder c. Active Directory user d. Registry key

b. NTFS folder c. Active Directory user d. Registry key

Which of the following defines what a user can do to a specific object, such as read or delete the object? a. Authentication b. Permission c. Exploitation d. Authorization

b. Permission

Which of the following is a mechanism that allows authentication of dial-in and other network connections? a. VPN b. RADIUS. c. NTFS d. Single Sign-On

b. RADIUS.

When using Role Based Access Control (RBAC), permissions are assigned to: a. Groups b. Roles c. Labels d. Users

b. Roles

The network administrator has been tasked to help implement management's guidance that employees do not work on the weekends. What is the best action she/he can take to ensure compliance? Pick the Best Answer a. Implement Mandatory Access Control b. Use Rule-BAC c. Send a email out saying the network will not be available on the weekend d. Set up an ACL

b. Use Rule-BAC

What type of authentication method identifies and recognizes people based on physical traits such as fingerprints? a. digital certificates b. bio-metrics c. WEP d. RADIUS

b. bio-metrics

Bob is logging in his company's email account from his desktop at home. He has to enter his username and password into the web application. After a moment the network server provides a number take he then enters into a company app that he has on his phone. The phone app provides provides a new 12 digit hexadecimal number that Bob put back into the web application. Which step in the process provide for authentication? a. username password b. entering the 12 digit hexadecimal number c. when logged in his desktop d. the number he gets from the network server

b. entering the 12 digit hexadecimal number

In Windows, when you copy a file from one folder to another and the folders have different access permissions, the file: a. none of the answers b. takes on the access rights of the destination folder c. must be assigned a new set of permissions manually d. retains its original access rights

b. takes on the access rights of the destination folder

Role Based Access Control (RBAC)

bases access control approvals on the jobs the user is assigned. The security administrator assigns each user to one or more roles. Some operating systems use groups instead of roles.

Active Directory is a technology created

by Microsoft that provides a variety of network services, including: - LDAP - Kerberos-based and single sign-on authentication - DNS-based naming and other network information - Central location for network administration and delegation of authority

Access control is defined by the owner/creator of the information. User can be share with few restrictions. a. Mac b. Rule-Bac c. Dac d. Role-Bac

c. Dac

You work as a Network Administrator for NetTech Inc. Your computer has the Windows 2000 Server operating system. You want to harden the security of the server. Which of the following changes are required to accomplish this? Each correct answer represents a complete solution. (Choose two) a. Remove the Administrator account b. Enable the Guest account c. Rename the Administrator account d. Disable the Guest account

c. Rename the Administrator account d. Disable the Guest account

This internal computer operation mediates all access requests and permits access only when the appropriate rules or conditions are met? a. CPU b. RAM c. Security Kernel d. User Access Control Monitor

c. Security Kernel

What type of permissions are assigned directly to a file or folder? a. encompassing b. inherited c. explicit d. overriding

c. explicit

An access control method based on the subject's clearance and the object's classification and label is referred to as: a. role based access control (RBAC). b. discretionary access control (DAC). c. mandatory access control (MAC). d. owner based access control (OBAC).

c. mandatory access control (MAC).

When you grant access to print to a printer, what are you granting? a. key b. right c. permission d. accessible

c. permission

Which type of group can be granted rights and permissions? a. SAM b. authorizing c. security d. distribution

c. security

What type of server runs Active Directory? a. file server b. NTLAN server c. member server d. domain controller

d. domain controller

What type of permissions are assigned directly to a file or folder? a. overriding b. inherited c. encompassing d. explicit

d. explicit

.The ______ __________ .holds a copy of the centralized database used in Active Directory

domain controller

A permission defines the type of access that is

granted to an object or object attribute.

A dictionary attack works by

hashing all the words in a dictionary and then comparing the hashed value to the system password file to discover a match.

Biometrics is an authentication method that

identifies and recognizes people based on physical trait such as fingerprint, face recognition, iris recognition, retina scan and voice recognition.

The condition in which files automatically take on the same permissions as the folder in which they reside is called

inherited permission

A security token

is a physical device that an authorized user of computer services is given to ease authentication.

Users are accounts with

lower permissions, and typically require an Administrator to enter their password to do anything that would bring up a UAC console in Windows.

When two or more authentication methods are used to authenticate someone, you are implementing a ___________ _________ system.

multifactor authentication

In the DAC model, _______ can create and access their objects freely.

owners

Many organizations will usually use a ________ or ___ in combination of the smart card.

password PIN

A right authorizes a user to

perform certain actions on a computer such as logging on to a system interactively or backing up files and directories on a system.

Mandatory access control (MAC)

permission to enter a system is kept by the owner. It cannot be given to someone else. Strongest think labels.

Nonrepudiation

prevents one party for denying actions they carry out. If you have established proper authentication, authorization and accounting, a person cannot deny actions that they carried out.

A smart card can contain digital certificates to

prove the identity of someone carrying the card and may also contain permissions and access information.

Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) are two protocols that

provide centralized authentication, authorization, and Accounting management for computers to connect and use a network service.

A login is the process that you are

recognized by a computer system or network so that you can begin a session.

Security kernel mediates all

requests and permits access only when the appropriate rules or conditions are met

A directory service

stores, organizes and provides access to information in a directory.

Security kernel is

the central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems.

Confidentiality

the characteristic of a resource ensuring access is restricted to only permitted users, applications, or computer systems.

SYSTEM is the account used by

the operating system to run services, utilities, and device drivers. This account has unlimited power and access to resources that even Administrators are denied, such as the Registry's SAM.

Discretionary access control (DAC)

the owner of the resource decides who gets in, and changes permissions as needed. The owner can give that job to others.

The most common method of authentication with computers and networks is

the password

A brute-force attack involves

trying every possible combination of characters.

A system that uses two authentication methods such as smart cards and a password can be referred to as a __________ ___________.

two-factor authentication

organizational units

used to help organize objects within a domain and minimize the number of domains

Content-dependent access control is based on

what is contained in the data. It requires the access control mechanism to look at the data to decide who should get to see it.

NTFS permissions allow you to control

which users and groups can gain access to files and folders on an NTFS volume.


Kaugnay na mga set ng pag-aaral

Essentials of Pediatric Nursing - Chapter 15

View Set

AP Microeconomic Unit 4 Practice Test

View Set

Solving for Angle Measures of Right Triangles

View Set

SAT Practice Test #1 - Reading & Writing

View Set

Mobility Nursing: Blood Transfusion

View Set