Chapter 10 - Access Control Methods and Models
ADUC
Active Directory® Users and Computers is a Microsoft Management Console (MMC) snap-in that you can use to administer and publish information in the directory.
implicit deny
Denies all traffic to a resource unless the users generating that traffic are specifically granted access to the resource. For example, when a device denies all traffic unless a rule is made to open the port associated with the type of traffic desired to be let through.
DAC
Discretionary access control (DAC) is an access control policy generally determined by the owner. Objects such as files and printers can be created and accessed by the owner. Also, the owner decides which users are allowed to have access to the objects, and what level of access they may have. The levels of access, or permissions, are stored in access control lists (ACLs).
Copying Folders and Files
If you copy a folder (or file) on the same volume or to a different volume, the folder inherits the permissions of the parent folder it was copied to (target directory).
Moving Folders and Files
If you move a folder (or file) to a different location on the same volume, the folder retains its original permissions. (You cannot move a folder to a separate volume; if you attempt to do so it will automatically be copied to the other volume.)
MAC
Mandatory access control (MAC) is an access control policy determined by a computer system, not by a user or owner. Permissions are predefined in the MAC model. The MAC model defines sensitivity labels that are assigned to subjects (users) and objects (files, folders, hardware devices, network connections, and so on). An object's label dictates what level of clearance is needed to access it, also known as a trust level (this is also known as data labeling).
Use policies
Policies governing user accounts, passwords, and so on can help you to enforce your rules.
Ctrl+Alt+Del
Pressing Ctrl+Alt+Del before the logon adds a layer of security to the logon process. This can be added as a policy on individual Windows computers. It is implemented by default with computers that are members of a domain.
RBAC
Role-Based Access Control (RBAC) is an access model that, like MAC, is controlled by the system, and, unlike DAC, not by the owner of a resource. However, RBAC is different from MAC in the way that permissions are configured. RBAC works with sets of permissions, instead of individual permissions that are label-based. A set of permissions constitutes a role. When users are assigned to roles, they can then gain access to resources. A role might be the ability to complete a specific operation in an organization as opposed to accessing a single data file.
MAC RBAC
Rule-based access control: Also known as label-based access control, this defines whether access should be granted or denied to objects by comparing the object label and the subject label.
Windows Server domain controller can be configured by completing the following steps
Step 1. Access the domain controller. Step 2. Create an MMC. Step 3. Add the Default Domain Policy to the MMC. (Done by adding a Group Policy Object Editor snap-in.) Step 4. In the Default Domain Policy, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. The Default Domain Policy affects all users.
Verify that the Guest account (and other unnecessary accounts) is disabled
This can be done by right-clicking the account in question, selecting Properties, and then selecting the checkbox named Account Is Disabled.
separation of duties (SoD)
This is when more than one person is required to complete a particular task or operation.
TCSEC
Trusted Computer System Evaluation Criteria (TCSEC) A DoD standard that sets basic requirements for assessing the effectiveness of computer security access policies. Also known as The Orange Book.
MAC Lattice-based access control
Used for more complex determinations of object access by subjects. Somewhat advanced mathematics are used to create sets of objects and subjects and define how the two interact.
UAC
User Account Control (UAC) is a security component of Windows that keeps every user (besides the actual Administrator account) in standard user mode instead of as an administrator with full administrative rights. UAC was created with two goals in mind: * To eliminate unnecessary requests for excessive administrative-level access to Windows resources * To reduce the risk of malicious software using the administrator's access control to infect operating system files
Least privilege
When a user is given only the amount of privileges needed to do his job.
Job rotation
When users are cycled through various assignments. This is one of the checks and balances that might be employed to enforce the proper separation of duties. Job rotation is when users are cycled through various assignments to * Increase user insight as to overall operations * Reduce employee boredom * Enhance employee skill level * Increase operation security Job rotation creates a pool of people that can do an individual job and discourages hoarding of information. It also helps to protect the purity of an operation.
ACL
access control list (ACL): access control list (ACL) A list of permissions attached to an object. ACLs specify what level of access a user, users, or groups have to an object. When dealing with firewalls, an ACL is a set of rules that applies to a list of network names, IP addresses, and port numbers.
Activate Administrator account
net user administrator /active:yes