Chapter 5: Designing an Access Control Strategy for Network Resources

Previous page
Table of content
Next page

  < Day Day Up > 


In this chapter, you will learn how to design an access control strategy. You will learn the details of discretionary, role-based, and mandatory access control and be able to explain the process that occurs when a user logs on and receives an access token, which is used when the user attempts to access a resource. You will see how the operating system enforces access control and some of the best practices when it pertains to administrative accounts. We will explain the basic guidelines for auditing the use of permissions as well as user rights.

We will show you what access control entails and why it is such an important topic. You will be able to recognize the differences between user-based and password-based access control as well as the difference between user rights and a user’s permissions.

Designing Access Control Strategies

Access control is defined as the process of authorizing users or groups to access resources, such as files or printers on the network. As stated in Chapter 4, “Designing an Authentication Strategy for Active Directory,” network security is based on two fundamental concepts:

Authentication Authentication is the process of determining the identity of something or someone.

Authorization Authorization is determining what the authenticated identity is allowed to do.

The key concepts that define access control are explained in the following topics:

Ownership of objects When an object is created, Windows assigns it an owner. The owner, by default, is the creator of the object (e.g., the user who creates the printer object in the directory).

Permissions assigned to objects The principal technique for implementing access control is permissions. Permissions are used to grant or deny users and groups a specified action. The permissions are implemented, typically, through the use of security descriptors. Security descriptors are attributes attached to an object that specify the permissions granted to users and groups, the security events to be audited, and the owner of the object. An example of a permission assigned to an object is the Read permission on a specific file assigned to a security group.

A security descriptor contains two access control lists (ACLs). An access control list is a list of security protections that apply to an entire object, to a set of the object’s properties, or to an individual property of an object. Simply put, the ACL contains all of the permission attributes regarding an object, including who is explicitly granted access as well as those explicitly denied access to the object. There are two types of ACLs:

  • Discretionary access control lists (DACLs) The discretionary access control list (DACL) is the part of the security descriptor that grants or denies specific users and groups access to the object. Only the owner of the object can change permissions granted or denied in the DACL.

  • System access control lists (SACLs) The system access control list (SACL) is the part of the security descriptor that dictates which events are to be audited for specific users or groups.

Both the DACL and the SACL consist of access control entries (ACEs), which contain each user’s or group’s attributes on the object. In order to view the DACLs and SACLs, you must enable Advanced Features from the Active Directory Users And Computers tool’s View menu.

Inheritance of permissions Inheritance, implemented by Windows, causes an object created in a container to inherit the permissions of its parent container. For example, when files are created within a folder, they will inherit the permissions that are assigned to the folder.

Object managers When individual permissions need to be adjusted, you will use the appropriate tool to manage the object type. For example, to modify the permissions of a folder, you would use Windows Explorer and right-click the folder and then choose the Properties menu option. The Permissions tab would then be used to change the permissions for the folder.

Object auditing Windows provides the ability to audit users’ access to objects. You can use the security log to view these events.


  < Day Day Up > 


Previous page
Table of content
Next page
MCSE. Windows Server 2003 Network Security Design Study Guide Exam 70-298
MCSE: Windows(r) Server 2003 Network Security Design Study Guide (70-298)
ISBN: 0782143296
EAN: 2147483647
Year: 2004
Pages: 168
Authors: Brian Reisman, Mitch Ruebush, Sybex
BUY ON AMAZON
Software Configuration Management
A+ Fast Pass
Java for RPG Programmers, 2nd Edition
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Ruby Cookbook (Cookbooks (OReilly))
802.11 Wireless Networks: The Definitive Guide, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy