Access Controls Chapter 2
There are two types of permissions used in NTFS:
- Explicit permission - Permissions granted directly to the file or folder. - Inherited - Permissions that are granted to a folder that flow into a child objects.
In Windows Active Directory, there are there are two types of groups:
- Security Groups can be given rights/permissions - Distribution Groups think email list
A user can authenticate using one or more of the following methods:
- What a user knows such us a using a password or Personal Identity Number (PIN). - What a user owns or possesses such as a passport, smart card or ID-card. - What a user is usually using bio metric factors based on fingerprints, retinal scans, voice input or other forms.
NTLM is the
- default authentication protocol for Windows NT, stand-alone computers that are not part of a domain or when you are authenticating to a server using an IP address. - acts a fall-back authentication if it cannot complete Kerberos authentication such as being blocked by a firewall. - uses a challenge-response mechanism for authentication, in which clients are able to prove their identities without sending a password to the server.
Rule-based access control
A list of rules, maintained by the data owner, determines which users have access to objects. Think firewall
3 issues with Biometrics
Accuracy Acceptability Reaction time
Actions
Activities that authorized users can perform on the resources.
Users
People who use the system.
Resources
Protected objects in the system. Resources can be accessed only by authorized subjects. Resources can be used only in authorized manners.
Identification
The method a subject/user requests access to a system or resource
Authorization
The process of determining who is approved for access and to what
Authentication
The validation that the subject is who they say they are is
Access control provides:
a set of resources available to the authenticated identity.
Since a digital certificate is used to prove a person's identity, it can be used for
authentication.
The digital certificate is an
electronic document that contains an identity such as a user or organization and a corresponding public key.
What authentication type is the default for Active Directory? a. MS-CHAP b. MS-CHAPv2 c. Kerberos d. NTLM
c. Kerberos
Access controls can be
logical or physical
A server that is not running as a domain controller is known as a
member server
Access Control
- The process of protecting a resource so that it is used only by those allowed to do so - Prevents unauthorized use - Supports C-I-A
AAA is a model for access control
- authentication - authorization - auditing
Asynchronous
1. The user initiates a logon request. 2. The authentication server provides a challenge to the user. 3. The user enters the challenge received from the server and a secret PIN known only to the user into the calculation device. 4. The token (or program) generates the response (the password) to the challenge, which appears in the window of the token. 5. The user provides the correct password to the authentication server. 6. Access is granted.
Integrity
defined as the consistency, accuracy, and validity of data or information.
Security and authentication is based on secret key technology where every host on the network has its own secret key.
Kerberos
Relationships
Optional conditions that exist between users and resources. Relationships are permissions granted to an authorized user, such as read, write, execute.
Auditing
Process of creating policies and logs to track and validate access control actions
Synchronous
Time based, Event Based, Continuous
A domain controller is
a Windows server that stores a replica of the account and security information of the domain and defines the domain boundaries.
Security kernel provides
a central point of access control and implements the reference monitor concept
A group is
a collection or list of user accounts or computer accounts.
object
a distinct, named set of attributes or characteristics that represent a network resource. - users - computers
A smart card is
a pocket-sized card with embedded integrated circuits consisting of non-volatile memory storage components, and perhaps dedicated security logic.
Authenticated Users is
a pseudo-group, it includes both Local PC users and Domain users.
Any group is characterized by
a scope that identifies the extent to which the group is applied in the domain tree or forest.
A personal identification number (PIN) is
a secret numeric password shared between a user and a system that can be used to authenticate the user to the system.
A password is
a secret series of characters that enables a user to access a file, computer, or program.
What are the two major off-line attacks used to break passwords Pick Two a. Brute-Force b. Dictionary c. Sniffers d. Social Engineering
a. Brute-Force b. Dictionary
Best practices for creating strong passwords (Select all the apply) a. Minimum of 8 charaters b. Include username c. Use special characters whenever possible d. Use upper and lower case letters
a. Minimum of 8 charaters c. Use special characters whenever possible d. Use upper and lower case letters
Since a smart card can be stolen, some smart cards will not have
any markings on it so that it cannot be easily identified on what it can open.
Access control defined by group or job function is called a. Role-BAC b. MAC c. DAC d. Rule-BAC
a. Role-BAC
An administer needs to grant users access to different servers based on their job functions. Which Access Control model is the BEST choice to use? a. Role-Based Access Control b. Mandatory Access Control c. Non-Discretionary Access Control d. Discretionary Access Control
a. Role-Based Access Control
Access control model where data owner establish guides/ rules that specifies privileges granted. a. Rule-BAC b. Role-BAC c. DAC d. MAC
a. Rule-BAC
When you create a local user on a computer running in Windows 10, where is the user account stored? a. SAM b. SQL database c. Active Directory d. PAN
a. SAM
Kathy is logging into her social media account on line. She enters her user id and password. The network server then asks her to submit a key token number. She looks at the number on her USB token and sends back the number. She must be careful to enter the number correctly, because the number on her USB token changes every minute. What access control methods are being used? (Check all that apply) a. Synchronous b. Asynchronous c. MAC d. Two-factor Authentication
a. Synchronous d. Two-factor Authentication
Non-discretionary access control
are closely monitored by the security administrator, and not the system administrator.
The Kerberos Key Distribution Center Server provides two key functions. They are (pick two) a. Ticket-Granting Server b. Cryptokey Management Server c. Logging Server d. Authentication Server
a. Ticket-Granting Server d. Authentication Server
To keep track of which user can access an object and what the user can do is stored in the
access control list (ACL)
A list that specifies which subjects are allowed to access an object and what operations they can perform on it is referred to as a(n): a. ACE b. ACL c. DAC d. entity
b. ACL
Full, Modify, read-execute, read, write are explains of permissions that might be on a(n) a. Sharing Folder b. Access Control List c. Entry Control List d. Authentication List
b. Access Control List
Availability
describes a resource being accessible to a user, application, or computer system when required.
Which is the least stringent version of Access Control a. Role-BAC b. DAC c. Rule-BAC d. MAC
b. DAC
Access controls cannot be implemented in various forms, restrictions levels, and at different levels within the computing enviroment a. True b. False
b. False
Before authorization can occur, the identity of the account attempting to access a resource must be
determined
In Centralized Access Control authenication is applied through the use of AAA servers. Select the benefits of the type of implemenation. Select all thay apply a. Flexibility b. Less Administration time c. Reduced Design Errors d. Consistent application of Access Control Policies
b. Less Administration time c. Reduced Design Errors d. Consistent application of Access Control Policies
Method of Access Control where objects have labels. Access is set by the system AND data owner a. DAC. b. MAC c. Roll-BAC d. Rule-BAC
b. MAC
Your organization host several classified systems in your data center. Management wants to increase security with these systems by using two factor authentication. You want to restrict access only to employees have a 'need to know'. Which of the following choices should management implement for authorization? a. Rule Based Access Control b. Mandatory Access Control c. Username and Password d. USB token and Pin
b. Mandatory Access Control
12. Which of the following uses an ACL? (Choose all that apply.) a. Logon rights b. NTFS folder c. Active Directory user d. Registry key
b. NTFS folder c. Active Directory user d. Registry key
Which of the following defines what a user can do to a specific object, such as read or delete the object? a. Authentication b. Permission c. Exploitation d. Authorization
b. Permission
Which of the following is a mechanism that allows authentication of dial-in and other network connections? a. VPN b. RADIUS. c. NTFS d. Single Sign-On
b. RADIUS.
When using Role Based Access Control (RBAC), permissions are assigned to: a. Groups b. Roles c. Labels d. Users
b. Roles
The network administrator has been tasked to help implement management's guidance that employees do not work on the weekends. What is the best action she/he can take to ensure compliance? Pick the Best Answer a. Implement Mandatory Access Control b. Use Rule-BAC c. Send a email out saying the network will not be available on the weekend d. Set up an ACL
b. Use Rule-BAC
What type of authentication method identifies and recognizes people based on physical traits such as fingerprints? a. digital certificates b. bio-metrics c. WEP d. RADIUS
b. bio-metrics
Bob is logging in his company's email account from his desktop at home. He has to enter his username and password into the web application. After a moment the network server provides a number take he then enters into a company app that he has on his phone. The phone app provides provides a new 12 digit hexadecimal number that Bob put back into the web application. Which step in the process provide for authentication? a. username password b. entering the 12 digit hexadecimal number c. when logged in his desktop d. the number he gets from the network server
b. entering the 12 digit hexadecimal number
In Windows, when you copy a file from one folder to another and the folders have different access permissions, the file: a. none of the answers b. takes on the access rights of the destination folder c. must be assigned a new set of permissions manually d. retains its original access rights
b. takes on the access rights of the destination folder
Role Based Access Control (RBAC)
bases access control approvals on the jobs the user is assigned. The security administrator assigns each user to one or more roles. Some operating systems use groups instead of roles.
Active Directory is a technology created
by Microsoft that provides a variety of network services, including: - LDAP - Kerberos-based and single sign-on authentication - DNS-based naming and other network information - Central location for network administration and delegation of authority
Access control is defined by the owner/creator of the information. User can be share with few restrictions. a. Mac b. Rule-Bac c. Dac d. Role-Bac
c. Dac
You work as a Network Administrator for NetTech Inc. Your computer has the Windows 2000 Server operating system. You want to harden the security of the server. Which of the following changes are required to accomplish this? Each correct answer represents a complete solution. (Choose two) a. Remove the Administrator account b. Enable the Guest account c. Rename the Administrator account d. Disable the Guest account
c. Rename the Administrator account d. Disable the Guest account
This internal computer operation mediates all access requests and permits access only when the appropriate rules or conditions are met? a. CPU b. RAM c. Security Kernel d. User Access Control Monitor
c. Security Kernel
What type of permissions are assigned directly to a file or folder? a. encompassing b. inherited c. explicit d. overriding
c. explicit
An access control method based on the subject's clearance and the object's classification and label is referred to as: a. role based access control (RBAC). b. discretionary access control (DAC). c. mandatory access control (MAC). d. owner based access control (OBAC).
c. mandatory access control (MAC).
When you grant access to print to a printer, what are you granting? a. key b. right c. permission d. accessible
c. permission
Which type of group can be granted rights and permissions? a. SAM b. authorizing c. security d. distribution
c. security
What type of server runs Active Directory? a. file server b. NTLAN server c. member server d. domain controller
d. domain controller
What type of permissions are assigned directly to a file or folder? a. overriding b. inherited c. encompassing d. explicit
d. explicit
.The ______ __________ .holds a copy of the centralized database used in Active Directory
domain controller
A permission defines the type of access that is
granted to an object or object attribute.
A dictionary attack works by
hashing all the words in a dictionary and then comparing the hashed value to the system password file to discover a match.
Biometrics is an authentication method that
identifies and recognizes people based on physical trait such as fingerprint, face recognition, iris recognition, retina scan and voice recognition.
The condition in which files automatically take on the same permissions as the folder in which they reside is called
inherited permission
A security token
is a physical device that an authorized user of computer services is given to ease authentication.
Users are accounts with
lower permissions, and typically require an Administrator to enter their password to do anything that would bring up a UAC console in Windows.
When two or more authentication methods are used to authenticate someone, you are implementing a ___________ _________ system.
multifactor authentication
In the DAC model, _______ can create and access their objects freely.
owners
Many organizations will usually use a ________ or ___ in combination of the smart card.
password PIN
A right authorizes a user to
perform certain actions on a computer such as logging on to a system interactively or backing up files and directories on a system.
Mandatory access control (MAC)
permission to enter a system is kept by the owner. It cannot be given to someone else. Strongest think labels.
Nonrepudiation
prevents one party for denying actions they carry out. If you have established proper authentication, authorization and accounting, a person cannot deny actions that they carried out.
A smart card can contain digital certificates to
prove the identity of someone carrying the card and may also contain permissions and access information.
Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) are two protocols that
provide centralized authentication, authorization, and Accounting management for computers to connect and use a network service.
A login is the process that you are
recognized by a computer system or network so that you can begin a session.
Security kernel mediates all
requests and permits access only when the appropriate rules or conditions are met
A directory service
stores, organizes and provides access to information in a directory.
Security kernel is
the central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems.
Confidentiality
the characteristic of a resource ensuring access is restricted to only permitted users, applications, or computer systems.
SYSTEM is the account used by
the operating system to run services, utilities, and device drivers. This account has unlimited power and access to resources that even Administrators are denied, such as the Registry's SAM.
Discretionary access control (DAC)
the owner of the resource decides who gets in, and changes permissions as needed. The owner can give that job to others.
The most common method of authentication with computers and networks is
the password
A brute-force attack involves
trying every possible combination of characters.
A system that uses two authentication methods such as smart cards and a password can be referred to as a __________ ___________.
two-factor authentication
organizational units
used to help organize objects within a domain and minimize the number of domains
Content-dependent access control is based on
what is contained in the data. It requires the access control mechanism to look at the data to decide who should get to see it.
NTFS permissions allow you to control
which users and groups can gain access to files and folders on an NTFS volume.