Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Get this document free

100916_Access_Control

VIEWS: 0 PAGES: 19

									   INLS 566
 September 16, 2010
Access Control Basics
   Housekeeping
I need a few more presentation dates 
Book review due next Tuesday (Sep 21)
– Web: send me URL, username, password
– Email: send me attachment
   Must have been SENT by midnight on due date
Any questions about material so far?
Interesting security news? (1, 2)
    Take a Breath
It may seem that crackers can get to
your system no matter what you do
– (Yes, that would be discouraging …  )
But think of it this way:
– There is always some RISK of intrusion
– You can reduce that risk by studying,
  planning, and taking appropriate action
 Access Threats
Unauthorized reading
Unauthorized change
Unauthorized removal
Unauthorized <whatever>
–(Possibly accidental … )
Typical Solution
Who may read
Who may change
Who may remove
Who may <whatever>
   For Example
Bill may read
Aaron may change
Scott may remove
(etc.)
Identification
Real life
–Driver’s license, etc.
In a computer
–User ID number
Identification

 User ID number



Computer assigns user ID token,
based on the information you send

                                     Clipart thanks to
                                    Freegraphics.com
                                       and gif.com
            User ID Token
(Cartoon from one of
those email forwards)




   UNIX
  – 1001


   Windows™
  – S-1-5-21-123456789-1234567890-1234567890-502
User Identification
Often appropriate, not always
 –(May be required for auditing)
Many systems mix user ID’s
and role ID’s (authorization)
 –UNIX: root, bin, daemon, etc.
 –Windows: Administrator, guest
 Identification Issues
If identification is not needed,
logging on wastes time/money
When someone logs on as guest,
root, etc. – i.e., as a role – you
might not really know who it is
Sometimes roles are appropriate
– E.g., high turnover in an organization
Identification Policy
Consider identification policy
–What are the risks (Schneier)
–Is identification (or anonymity)
 appropriate in your organization
–Use of personal identities, versus
 organizational roles, or other …
Access by User ID
Per-user list of permissions (rare)
–“user capabilities”
Per-object list of users & access
–“access control list”
Access control matrix (used only
as theory, covers all possibilities)
Access Control Matrix
           Bill     Aaron    Scott   (etc.)
  file_1   read     write    full    …
  file_2   write    write    full    …
  file_3   full     delete   full    …
  dir_1    delete   write    full    …
  dir_2    none     delete   full    …
  (etc.)   …        …        …       …
Per-Object Properties
           Bill     Aaron    Scott   (etc.)
  file_1   read     write    full    …
  file_2   write    write    full    …
  file_3   full     delete   full    …
  dir_1    delete   write    full    …
  dir_2    none     delete   full    …
  (etc.)   …        …        …       …
Per-Object Properties
UNIX
– $ ls –l tmp
– -rwxr-xr-- 1 barney users   0 Sep 13 17:58 tmp

Windows:
     UNIX Permissions
$ ls –l tmp
-rwxr-xr-- 1 barney geeks          0 Sep 13 17:58 tmp


–   rwx: owner (barney) may read, write, and execute
–   r-x: members of group (geeks) may read and execute
–   r--: everyone else (“other”) may read (only)
–   For more information: man ls
  Managing Access
(If owner can change permissions)
Windows Properties -> Security
UNIX chmod command
– UNIX also has chgrp & chown commands,
  which change access behavior
AFS uses Access Control Lists
Other examples? (discussion)
Suggested Reading
Schneier ch. 7-10 (pp. 87- 146)
Dhillon:
– ch. 3 (pp. 28-43)
– ch. 13 (pp. 241-263)
McClure:
– 6th Ed., ch. 5 (pp. 224-310)
– 5th Ed., ch. 5 (pp. 212-292)
Scambray ch. 9 (pp. 294-330)

								
To top