CompTIA Security+ Section 20: Access Control
What are the different Access Control Models?
- Discretionary Access Control (DAC) - Mandatory Access Control (MAC) > Rule-Based Access Control > Lattice-Based Access Control - Role-Based Access Control - Attribute-Based Access Control (ABAC)
What does #chmod 777 <filename> mean?
- Owner can RWX - All groups can RWX - All users can RWX
What does #chmod 760 <filename> mean?
- Owner can RWX - Group can RW - All Users (no access)
How can permissions be set within Linux?
- Read - Write - Execute
Best Practices for Access Control
-Separation of duties -Job rotation -Least privilege -Implicit deny -Mandatory vacations
What number correlates to X (Execute) permissions within Linux?
1
How can you keep your usernames, passwords, and accounts secure?
1. Always require the user to change the default password when the account is created 2. Require that the password is changed frequently (every 90 days) 3. Always change the default Administrator or Root password 4. Disable the Guest account on your systems 5. Enable CTRL+ALT+DEL for logging into the system • Turn this on in the Advanced tab of the User Accounts dialogue box 6. Use good, strong policies in regards to your passwords
Benefits of using User Account Control (UAC)
1. Eliminates unnecessary admin-level requests for Windows resources 2. Reduces risk of malware using admin-level privileges to cause system issues
How can you create a new user within an ADUC?
1. Right-click on an empty area in the Users folder of ADUC and select Create New User 2. Create a new user within the Organizational Unit (OU) within Active Directory
What number correlates to W (Write) permissions within Linux?
2
What number correlates to R (Read) permissions within Linux?
4
What is the minimum number of characters for a secure password?
8
User Account Control (UAC)
A security component in Windows that keeps every user in standard user mode instead of acting like an administrative user - Can be disabled from the Control Panel (not recommended)
ADUC
Active Directory Users and Computers
Implicit Deny
All access to a resource should be denied by default and only be allowed when explicitly stated A rule in an ACL that blocks all traffic that hasn't been explicitly allowed. This rule is the last rule in an ACL
Mandatory Access Control (MAC)
An access control policy where the computer system determines the access control for an object. The computer chooses the permissions Relies on security labels being assigned to every user (called a subject) and every file/folder/device or network connection (called an object). Data labels create trust levels for all subjects and objects. To access something, you need to meet the minimum level and have a "need-to-know" Implemented through the Rule-based and the Lattice-based access control methods An access control model that uses sensitivity labels assigned to objects (files and folders) and subjects (users). Mac restricts access based on a need to know basis
Role-Based Access Control (RBAC)
An access model that is controlled by the system (like MAC) but utilizes a set of permissions instead of a single data label to define the permission level - Power Users is a role-based permission An access control model that uses roles based on jobs and functions to define access. It is often implemented with groups (providing group-based privileges)
Attribute-Based Access Control (ABAC)
An access model that is dynamic and context-aware using IF-THEN statements - If Jason is in HR, then give him access to \\fileserver\HR An access control model that grants access to resources based on attributes assigned to subjects and objects
How do you get rid of propagation?
By breaking the inheritance
Groups
Collection of users based on common attributes (generally work roles)
Strong Passwords
Contain uppercase letters, lowercase letters, numbers, special characters, and at least 8 characters or more (preferably 14 or more)
Rule-based Access Control
Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label - type of MAC
Access Control
Methods used to secure data and information by verifying a user has permissions to read, write, delete, or otherwise modify it
Privilege Creep
Occurs when a user gets additional permission over time as they rotate through different positions or roles. Violates the principles of least privilege
Propagation
Occurs when permissions are passed to a subfolder from the parent through inheritance
Job Rotation
Occurs when users are cycled through various jobs to learn the overall operations better, reduce their boredom, enhance their skill level, and most importantly, increase our security. Helps the employee become more well-rounded and learn new skills. This also helps the organization identify theft, fraud, and abuse of position A process that ensures employees rotate through different jobs to learn the processes and procedures in each job. It can sometimes detect fraudulent activity
Who are permissions set to/assigned to?
Owners (U), Groups (G), and All Users (O or A)
User Rights
Permissions assigned to a given user
User Access Recertification
Process where each user's rights and permissions are revalidated to ensure they are correct
chmod
Program in Linux that is used to change the permissions or rights of a file or folder using a shorthand number system
Separation of Duties
Requires more than one person to conduct a sensitive task or operation. Can be implemented by a single user with a user and admin account A security principle that prevents any single person or entity from controlling all the functions of a critical or sensitive process. It's designed to prevent fraud, theft, and errors
Discretionary Access Control (DAC)
The access control policy is determined by the owner. Commonly used Two things need to be met: 1. Every object in a system must have an owner 2. Each owner determines access rights and permissions for each object An access control model where all objects have owners and owners can modify permissions for the objects (files and folders). Microsoft NTFS uses this model
UAC
User Account Control
Least Privilege
Users are only given the lowest level of access needed to perform their job functions. - "Does everyone in the company need to know employee salary data?" A security principle that specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more
Lattice-based Access Control
Utilizes complex mathematics to create sets of objects and subjects to define how they interact - type of MAC
How can permissions be set within Windows?
• Full Control • Modify • Read & Execute • List Folder Contents • Read • Write