Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives • Define Access Controls • List the four Access Control Models • Describe logical Access Control Methods • Explain the different types of physical access control • What is Access Control? Access control – The process by which resources or services are granted or denied on a computer system or network • Four standard Access Control models – Identification • User presents credentials or identification (e.g. username) – Authentication • Validate User’s credentials are authentic – Authorization • Granting permission to take the action – Access • Provide only certain services or applications in order to perform their duties Access Control Terminology (cont.) • Computer access control can be accomplished by one of three entities: – Hardware – Software – Policy • Access control can take different forms depending on the resources that are being protected • computer systems impose access controls based on: – Object – Subject – Operation Access Control Models • Access control model – Provides a predefined framework for hardware and software developers who need to implement access control in their devices or applications – Used for hardware / software validation • Once an access control model is applied
– Custodians can configure security based on the requirements set by the owner • So that end users can perform their job functions Access Control Models (cont.) • Mandatory Access Control (MAC) model – Users cannot implement, modify, or transfer any controls – Owner & Custodian responsible for managing access – Most restrictive model because all controls are fixed – In original MAC model, all objects and subjects were assigned a numeric access level • The access level of the subject had to be higher than that of the object in order for access to be granted Access Control Models (cont.) • Discretionary Access Control (DAC) model – The least restrictive – subject has total control over any objects that he or she owns • Includes programs associated with those objects • Subject can also change the permissions for other subjects over objects • Two significant weaknesses – Relies on subject to set the proper level of security – Subject’s permissions are “inherited” by programs that the subject executes Access Control Models (cont.) • User Account Control (UAC) – Operating systems prompt the user for permission whenever software is installed • Access Control Models (cont.) • Three primary security restrictions implemented by UAC: – Run with limited privileges by default – Applications run in standard user accounts – Standard users perform common tasks • Another way of controlling DAC inheritance is to automatically reduce the user’s permissions • Enforces the Principal of least Privilege Access Control Models (cont.) • Role Based Access Control (RBAC) model – Sometimes called Non-Discretionary Access Control – Considered a more “real world” approach than the other models – Assigns permissions to particular roles in the organization, and then assigns users to that role – Objects are set to be a certain type, to which subjects with that particular role have access
Access Control Models (cont.) • Rule Based Access Control (RBAC) model – Also called the Rule-Based Role-Based Access Control (RB-RBAC) model or automated provisioning – Can dynamically assign roles to subjects based on a set of rules defined by a custodian – Each resource object contains a set of access properties based on the rules • Rule Based Access Control is often used for managing user access to one or more systems Practices for Access Control • Separation of duties – Requires that if the fraudulent application of a process could potentially result in a breach of security • Then the process should be divided between two or more individuals • Job rotation – Instead of one person having sole responsibility for a function, individuals are periodically moved from one job responsibility to another – Common use is to enforce mandatory vacations; allows a different user to access how security is implemented to prevent collusion Practices for Access Control (cont.) • Least privilege – Each user should be given only the minimal amount of privileges necessary to perform his or her job function • Implicit deny – If a condition is not explicitly met , then it is to be rejected • Implementing Access Controls – Two broad categories • Physical access control • Logical access control Logical Access Control Methods • Logical access control includes: – Access control lists (ACLs) – Group policies – Account restrictions – Passwords • Access Control Lists (ACLs) Access control list (ACL) – Permissions assigned to an object – Specifies subjects that are allowed specified access the object • Most often viewed in content of the OS • Structure behind ACL tables is complex
• Access control entry (ACE) – Each entry in the ACL table in the Microsoft Windows, Linux, and Mac OS X operating systems Access Control Lists (ACLs) (cont.) • In Windows, the ACE includes four items of information: – A security identifier (SID) for the user account, group account, or logon session – An access mask that specifies the access rights controlled by the ACE – A flag that indicates the type of ACE – A set of flags that determine if objects can inherit permissions Group Policies • Group Policy – Feature within Microsoft Windows Active Directory (AD) – Provides centralized management and configuration of computers and remote users – Primarily used in enterprise environments to restrict user actions that pose a security risk – Group Policy settings are stored in Group Policy Objects (GPOs) Account Restrictions • Time of day restrictions – Limit when a user can log on to a system – These restrictions can be set through a Group Policy – Can also be set on individual systems • Account expiration – The process of setting a user’s account to expire based on a date – Orphaned accounts are user accounts that remain active after an employee has left an organization • Can be controlled using account expiration Passwords • Password – The most common logical access control – Sometimes referred to as a logical token – A secret combination of letters and numbers and possible characters that only the user knows • A password should never be written down
– Must also be of a sufficient length and complexity so that an attacker cannot easily guess it (password paradox) Passwords (cont.) • Password Attacks: – Brute force attack • Guess a password through combining random characters • Passwords typically are stored as a “hash” – Attackers try to steal the file of hashed passwords and break the hash offline – Dictionary attack • Attacker obtains hashes of common dictionary words – Compares hashed dictionary words against stolen password file – Rainbow tables • Large tables of pre-generated hash values – Passwords (cont.) Rainbow Tables (Cont.) – Generating a rainbow table requires a significant amount of time – Rainbow table advantages: • Can be used repeatedly • Faster than dictionary attacks • Memory needed on the attacking machine is reduced – Success of rainbow tables tied to older Windows OS password hashing algorithms • A defense against breaking encrypted passwords with rainbow tables – Add complexity to hash by including a random sequence of bits as input along with the user-created password • These random bits are known as a salt – Make brute force, dictionary, and rainbow table attacks much more difficult Passwords (cont.) • Password policy – A strong policy can provide defenses against attacks – First policy: Create and use strong passwords • Best defenses against rainbow tables: Prevent attacker from capturing password hashes Use 3 rd party applications to track passwords complexity and life • • Domain Password Policies • Domain password policy – Restrictions set through Domain password policy – There are six common Windows domain password policy settings, called password setting objects • Used to build a domain password policy
Recommend
More recommend
