Security Chapter 2
Security principal
An object that can be given permissions to an object including user accounts, computer accounts, and security group accounts.
Generic Containers
Like OUs, these containers are used to organize Active Directory objects. • Are created by default • Cannot be moved, renamed, or deleted • Have very few properties you can edit You cannot create these containers. Use OUs instead.
Type 3
Something you are authentication uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. This is the most expensive and least accepted, but is generally considered to be the most secure form of authentication.
Type 5
Something you do is a supplementary authentication factor that requires an action to verify a user's identity.
Type 2
Something you have (also called token-based authentication) is authentication based on something a user has in their possession.
Type 1
Something you know authentication requires you to provide a password or some other data that you know.
Type 4
Somewhere you are (also known as geolocation) is a supplementary authentication factor that uses physical location to verify a user's identity.
Deny Permissions
These permissions always override Allow permissions. Explicit permissions override inherited permissions, even Deny permissions.
Kerberos (SSO)
This SSO solution is an open system that can be used on Macintosh and Unix systems. It is built into Windows 2000 Active Directory.
Explicit deny
This access control identifies users or groups who are not allowed access. This is the strongest form of access control and overrules all other privileges granted.
Explicit allow
This access control specifically identifies users or groups who have access. Explicit allow is a moderate form of access control in which privilege has been granted to a subject.
Processing rate
This identifies the number of subjects or authentication attempts that can be validated. An acceptable rate is 10 subjects per minute or more.
Access control list (ACL)
This identifies users or groups who have specific security assignments to an object.
Directory services
This implements single sign-on for resources on the network. • Active Directory on a Microsoft network • eDirectory on a Novell network • LDAP Directory Services
Active Directory
This is a centralized database that contains user account and security information.
Forest
This is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.
SSO
This is a distributed access method that allows a subject to log in (sign on) once to a network and access all authorized resources on the network.
Tree
This is a group of related domains that share the same contiguous DNS namespace
User Right
This is a privilege or action that can be taken on the system, such as logging on, shutting down the system, backing up the system, or modifying the system date and time.
Domain Controller
This is a server that holds a copy of the Active Directory database that can be written to.
Defense-in-depth
This is an access control method which implements multiple access control methods instead of relying on a single method. Multiple defenses make it harder to bypass the security measures.
Domain
This is an administratively-defined collection of network resources that share a common directory database and security policies.
Discretionary Access Control List (DACL)
This is an implementation of discretionary access control (DAC). Owners add users or groups to this for an object and identify the permissions allowed for that object.
Secure European System for Applications in a Multi- Vendor Environment (SESAME)
This is is an SSO technology which uses asymmetric cryptography.
Organizational Unit (OU)
This is like a folder that subdivides and organizes network resources within a domain. • Can hold other organizational units • Can hold objects such as users and computers • Can be used to logically organize network resources • Simplifies security administration
Crossover error rate
This is the point at which the number of false positives matches the number of false negatives in a biometric system.
Integrity
This is the term used in ensuring that information is not corrupted or inappropriately altered.
Clark-Wilson
This model (also referred to as an RBAC model) is a non-discretionary access control model that is primarily based on controlled intermediary access applications that prevent direct access to the back-end database. This model: +Introduces a concept called the access control triple. +Addresses integrity for commercial use. +Defines well-formed transactions, separation of duty, and auditing.
Brewer and Nash Module/Chinese Wall
This model addresses commercial integrity, fair competition, and the avoidance of conflict of interest. This model: + Dynamically assembles ACLs based on the object that a subject accesses. + Is built upon an information flow model. + Restricts information from flowing in a way that would create a conflict of interest. In this model, a subject with access to one company's data is not allowed to access a competitor's data.
Role-Based Access Control (RBAC)
This model allows access based on a role in an organization, not individual users. Role-based access control is also known as non discretionary access control. Roles are defined by job description or security access level. Users are made members of a role and receive the permissions assigned to the role.
Temporal Role-Based Access Control (TRBAC)
This model allows for role-based access control rules to only be in effect for a certain time period.
Discretionary Access Control (DAC)
This model assigns access directly to subjects based on the discretion (or decision) of the owner.
Bell-LaPadula
This model is a centralized form of access control that uses management- or government-issued clearance labels for subjects and classification labels for objects. It implements the following principles: +Simple security property +Star property +Strong star property Is a Mandatory Access Control (MAC) model.
Biba
This model is a centralized form of access control that uses management- or government-issued clearance labels for subjects and classification labels for objects. It implements the following principles to maintain the integrity information: +Star integrity axiom +Simple integrity axiom Is a Mandatory Access Control (MAC) model.
View-based Access Control (VBAC)
This model is a type of constrained user interface used to control a subject's access to specific parts of database applications according to the rights associated with the subject.
Federated Access Control (FIM)
This model is an arrangement that can be made among multiple enterprises that lets subscribers use the same identification data to obtain access to the networks of all enterprises in the group. The use of such a system is sometimes called identity federation.
Context-based Access Control (CBAC)
This model is mostly used to expand the decision-making capabilities of firewall applications to include the ability to base decisions on the state as well as the application-layer protocol session information.
Content Dependent Access Control (CDAC)
This model protects databases that contain sensitive information from a breach of privacy. It is commonly based on the Abrams and LaPadula Generalized Framework for Access Control (GFAC) and works by permitting or denying the access control subjects to access objects based on the content of the object
State machine
This model states that a system should never reside in a non-secure state. A system is considered secure if it starts, runs, and shuts down in a secure state.
Rule Set-Based Access Control (RSBAC)
This model uses characteristics of objects or subjects, along with rules, to restrict access. Because rule-based access control does not consider the identity of the subject, a system that uses rules can be viewed as a form of mandatory access control.
Mandatory Access Control (MAC)
This model uses labels (or attributes) for both subjects and objects. Any operation by any subject on any object will be tested against a set of authorization rules (or policies) to determine if the operation is allowed.
False negative
This occurs when a person who should be allowed access is denied access.
False positive
This occurs when a person who should be denied access is allowed access.
Principle of least privilege
This principle states that users or groups are given only the access they need to do their job (and nothing more).
Confidentiality
This term is keeping secrets a secret. It is also referred to as privacy.
System Access Control List (SACL)
This type of access is used by Microsoft for auditing to identify past actions performed by users on an object.
Effective Permissions
This type of permission's access rights (permissions) are cumulative. If you are a member of two groups, both with different permissions, you will have the combined permissions of both groups. These permissions are the combined inherited permissions and explicit permissions.
Authentication, authorization, and auditing
What are known as the AAA of access control?
Objects (Access Control)
What are the data, applications, systems, networks, and physical space for access control?
Subjects (Access Control)
What are the users, applications, or processes that need access to objects for access control?
Access control
What gives you the ability to permit or deny the privileges that users have when accessing resources on a network or computer?
System (Access Control)
What includes the policies, procedures, and technologies that are implemented to control a subject's access to an object for access control?
Directory Service
What is an example of a technical access control system that you use to manage and enforce access control policies on a network?
Cumulative Permissions
What is the term for this? A user's effective permissions for a resource is the sum of the NTFS permissions assigned to the individual user account and to all of the groups to which the user belongs, so if a user has Read permission for a folder and is a member of a group with Write permission for the folder, the user has both Read and Write permission.
Implicit deny
With this access control, users or groups which are not specifically given access to a resource are denied access. This is the weakest form of privilege control.
Objects
Within Active Directory, each resource is identified as these. These include: • Users • Groups • Computers • Printers • Shared folders