CompTIA Security+ SY0-601 – 3.8 Implement authentication and authorization solutions. Part 2

3. Access control schemes

In this video, I’m going to be talking about Access Control schemes. Access Control is basically, by its definition, access Control is controlling the access between subjects and objects, ensuring that the subject meets the object’s access requirement. Hey, what does all that mean? All that what means is that the subject being the users. So subjects are basically users and people that you want to access. Your resources and objects are things you’re trying to access. File servers, folders, databases, email, those are the objects on your network. Saxis Control controls the access between the subjects and the objects. Now, there are a variety of these schemes that we want to talk about that’s really important for your exam. Your exam is going to really test you on this. There’s discretionatory access control. Attribute base access control. Role based, rule based and mandatory base access control.

These are basically going to be the ones that are going to show up on your exam. So let’s get into it. The first one we’ll talk about is Discretionaryy Based Access Control. Discretionaryy based access control is what Windows is based on. Discretionary Based Access Control is when every object has an owner, and whoever creates that object owns that object and can set permissions to that object. Now, this is really what a normal Windows system is based on. Discretionary based access control is also known as identity based access control. Remember, for your exam, it’s based on owners. And when owners create the objects, they own, the objects, they can set the permission. Let me show you. Remember I told you Windows is based on it. So this machine right now is based on Discretionary Access Control. So if I make a file, let’s say I make a folder and I call it Docs.

This folder is made by me. I’m the object creator. I created this object. I can right click on it. I can go to Properties, I can go to Security, and I can set the file system. Like I said, the file system security. Here I can go in and say, you know what, I want everyone to be able to access this folder, and I’m going to give them full control of it. Why? Because I own this folder and I could do that. So this would be editing the file system. So notice how Discretionary or Access Control is giving me permission over that file system. Now I can go in there and change the file system permission as needed. This is probably not a good thing, because what this is doing is that the privileged access management people managing the privileges is done by the users themselves. So that’s not good, because what’s now is that I’m controlling setting the file system permission.

I’m basically allowing privileged access to anybody that I want. This is not something you want to be doing, especially for users in high secure environments. DAC is probably fine at home. Like I have it in a small network where security is not needed, where everyone knows everyone and we all trust everyone. Maybe in an office of three or four users, it’s probably fine. But you want to remove that ability. You want to grant access based on conditional things such as conditional access would be based on things such as what group you’re in, are you a member of the accounting group or the sales group? That would be more of a conditional access. So in order to do that, we’re going to use something called let me erase all this text.

The next one I want to talk about is role based Access control. Role based access control is when you put people into roles where you create different roles within the organization and then assign the users to those roles. The objects that you can access is based on the role you’re in. Now, this is a common thing, putting people into groups, sales groups, finance group, management group, and then assigning them each users to the individual groups and then assigning the permissions to the groups. So something like this. Watch. Put that on there. So something like this. So if I was to go into this computer and computer management, where are you? And I’m going to go down here, local users and groups. If I go down here and I create a group and I say new group, and I call this one accountant, and I say create.

So this is a role. Now it’s a group, right? So this accounting group can then hold users. So who do I have? I have Andrew. So maybe I could make a new user called Bob. Give Bob a password. I don’t need to change the password. So here I have Bob, and then I can go to the group. And basically now you’re basically going to take the users and put them into the groups sort of role, we should say. And in here I’m going to add a member is Bob. So now I have Bob as a member of this group. So now this becomes a lot easier to manage because now instead of assigning individual access to the folder like I just did, what I could go in here is I’m going to change the security settings. We’re going to remove the everyone. Maybe we can add the accountant. Did I get that right? Accountant.

There we go. Misspelled that. So I can now go in here and give the accounting group so the folder would say accountant on it, and just members of the accounting group can access it. So then I can just assign permissions. People in the accounting group. You don’t want to give them full control, give them access to that folder. So when I create users now, and I would keep doing this, I would make a group for sales, finance, accounting, these are different individual roles. And then you assign the permission to the objects to the role. So you want to access that application. You have to be a member of that group. You have to be in that role. You want to access that accountant application. You got to be in the accounting group. You want to access Sales application and be in the Sales group. Role based access control is a lot easier to manage.

You’re not given individual access, you’re given group access or role access to the users on your network. This is good for like high turnaround environments. If you manage a place where people come and go all the time, this is the way to do it. Because now you don’t have to worry about them leaving and then have to delete their permission from 100 different folders you have shared use. Add them to a group, they come in, add them to a group delete, remove them from the group and that’s it. Okay, the next one here we want to mention is going to be rule based access control. Rule based? Not rule, rule based access control. So rule based access control is when you manage the access control based on a series of rule sets. Do I allow it? Yes or no? Firewalls are based on this.

So Firewalls, firewalls are going to be based on oops, I logged out of my sonic wallet, let’s log back in. So if you remember in the video where I did, where I configured the sonic wall to allow on web servers if I go in here, firewall settings so we know that this thing has a firewall on it. So if I go to rules here, so we know it’s enabled, right? Firewall is all that. If I go in here and I say access rules, one of the things here that I had created was a custom rule. If you guys remember this from the last time in this rule we said that we’re going to allow from the Wang to the land this AR webserver that we had configured from all Wang IPS can come in here. So in order to access resources in this network, you got to define a rule for it.

So Firewalls and routers are good examples of devices that uses rule based access controls because you’re setting the rule set on the firewall instead of actually using something like a role where you put somebody into a group. Okay? The other one here we want to mention is going to be mandatory based access control. Now this one here I want you to remember mandatory based access control uses what’s known as label security labels. Now let’s explain this. Remember for your example, mandatory based access control uses security labels. Remember that mandatory based access control by the way, is implemented in Se Linux. And before I get into it, let me just show you what I mean. Se linux. We don’t need the android. Se Linux security enhanced Linux provides a mechanism to enable more security policy.

This introduces the mandatory access control. Now this is basically a red hat. It’s basically fedora. And you can play around with this if you want to download and try it out. But let’s explain to you what exactly is this? Mandatory Base Access Control implements security labels and you have labels assigned to the objects and the subjects. And when they match up, you’ll be able to access the resource. So if you know how the government works, top Secret, Secret, these are clearances. So if you have a Top Secret clearance, can you access all Top Secret data? And the answer is no, you can’t. Why? Because you have to have a quote unquote need to know. Not because somebody has a Top Secret clearance doesn’t mean you can access all Top Secret data. Let’s say I work in the NSA and I have a Top Secret clearance for technology policies.

Well, I can go and I can edit and access and see top secret security policies, but I can’t see it for accounting policies or sales policies. So you would still need to have a need to know. Now this is when these labels come into play. So in Mandatory Access Control, you basically have the security labels that are assigned to me. So I have this clearance label, and then you have different forms of other labels that are assigned to the object. So for those policies and now if I do have that clearance, that security clearance of Top Secret and the object, and I have the label of the need to know for that particular object, they match up, hey, you can access it. So this is different, right? Because in Windows if you’re a member of an accounting group, basically you can access the account and resource administrator, you can access the administrator stuff.

So in this settings, it works out well for you. It works out better for you in this scenario. It’s a more secure scenario because not because a person is a member of one thing, doesn’t give access to everything. So remember, for your exam, mandatory Access Control allows you to use security labels and it’s basically done with clearances that they would use in the military. Now, the last thing here we want to talk about is going to be we talked about discretionary, we talked about role rule, Mac conditional privilege. Let’s take a look at the final one here, and this one is becoming very popular. It’s called attribute based access control. Attribute Based Access Control bases your ability to access objects on specific attributes, and there’s a wide variety of attributes.

So we’re going to change what you’re accessing and the object you’re accessing based on the operating system you’re logging in with, the time of day, the IP address, the browser type, a member of a group that you’re in, and many other types of attributes that we can use. So take for example, you may log in with a European IP address. In Netflix, you see one content, you log on American IP, you see one content. So the access control for an American IP is different than a European IP. You log in with a small screen mobile device, you can see certain content. You log in with a big screen device, you can see other content. These are very specific attributes. Now you can see why this is becoming popular because of all the different attributes that we can use to give people certain access to different objects. Okay, quite a lot of things here, guys.

Watch this video again because make sure to review these concepts again in this video because you’re going to see this on your exam. They love testing it on your exam. Quick Recap discretionary access Control is when you have owners to objects that define the access. Windows is based on this attribute. Based Access Control is when you are going to be used in a variety of different attributes, such as when they log in, what time of day, what IP, what location, what type of browser. Role Based Access Control is basically putting people into groups and assign it based on groups. Good for high turnover environment. Rule based Access Control is basically using an ACL Access Control list in order to grant access. This is generally going to be done on firewalls and routers. And finally, Mandatory Access Based Control is based based on security labels as we have Top Secret, secret and a need to know in order to access objects.