1. Understanding Authorisation
Authorisation is the final step in the access control process. Once an individual successfully authenticates to a system, authorisation determines the privileges that individual has to access resources and information.
2 Principles of Authorisation
- Principal of Least Privilege: This principle states that an individual should have only the minimum set of permissions necessary to accomplish his or her job duties. This limits the potential damage from an insider attack. It also restricts the ability of an external attacker to leverage a compromised account.
- Separation of duties: This principle states that sensitive business functions should require the involvement of at least two people. This reduces the likelihood of fraud, by requiring collusion between two employees to commit fraud. One common example of separation of duties is found in accounting departments.
EXAM TIP: be able to identify these principles in an example
Privilege creep occurs when users change from one job to another and gain new privileges associated with their new responsibilities but never lose the privileges from the job that they left.
Account reviews limit privilege creep. This can be manual or automated. Manual may be in the form of a quarterly review.
2. Mandatory Access Controls
Mandatory Access Control systems are the most stringent type of access control. In Mandatory Access Control, or MAC systems, the operating system itself restricts the permissions that may be granted to users and processes on system resources. User themselves cannot modify permissions. For this reason, MAC is rarely fully implemented on production systems outside of highly-secure environments. MAC is normally implemented as a rule-based access control system where users and resources have labels and the operating system makes access control decisions by comparing those labels.
The most common example of an operating system implementing MAC is Security-Enhanced Linux, or SELinux, a Linux kernel security module developed by the US National Security Agency in the 1990s and included in some Linux distributions including Red Hat Enterprise Linux, CentOS, and Fedora. As far as the Security+ exam goes, that’s really all you need to know about Mandatory Access Controls
3. Discretionary Access Controls
This allows users to assign access permissions to other users. The owners of files, computers and other resources had the discretion to configure permissions as they see fit.
The NTFS file system access control model used on Windows disks is one of the most common examples of a discretionary access control system.
Access Control Lists
An access control list is simply a table containing usernames and the permissions granted to each user of a resource. For example, I might own a file on a computer governed by a discretionary access control system and decide that I want other users to access my file. I might grant one user the ability to edit the file and a large group the ability to read the file. Each one of these decisions would require an entry in an access control list.
The NTFS file system used by Windows implements access control lists and allows users assign a variety of permissions:
- Full control: grants complete authority over a resource. The user can perform any action on the file or folder
- Read: allows the user to view the contents of the file
- Read and execute permission goes beyond the read permission and also allows the user to run executable programs
- Write permission allows the user to create files and add data to them
- Modify goes beyond write to allow the user to delete files. It also adds read and execute permissions not already present in the write permission group.
5. Advanced Authorisation Concepts
Implicit Deny Principle
Anything that is not explicitly allowed should be denied
The implicit deny principle, otherwise known as default deny is one of the foundational principles of access control systems.
Firewalls are an example of the default deny principle in action. If a firewall does not have a rule allow a connection, it denies the connection
EXAM TIP: the implicit deny rule is a critical concept on the Security+ exam
Role Based Access Control
Permissions are grouped together into functional role and users are assigned to those roles.
Let’s look at an example. Imagine that Alice Jones comes to our company as a new supervisor in the accounting department. As part of her job, she needs to handle all the work of an accounting clerk. Administrators can go ahead and assign her the accounting clerk role, and she will automatically receive all related permissions. She will inherit changes as the permissions assigned to that role change.
Alice also needs advanced privileges reserved for accounting supervisors, so administrators can assign her to that role as well.
Attribute-Based Access Control (ABAC)
ABAC allows administrators to write security policies based upon the attributes of a user, object, and the situation.
For example, in an attribute-based access control system you might write a policy that allows managers to access salary information only after executives have finalized merit increases in March.
You write the policy like this:
- the user trying to access the information must have an account class of manager
- the user must be the manager of the individual whose data is being requested, or the user must be the manager of that individual’s manager
- the date must be after March 15th, 2017.
Location Based Access Controls
Location-based access control policies extend the attribute model by including a user’s physical location as an attribute. For example, in the previous scenario, you might set a location-based access control policy that requires that the person only access this data while they are physically located in one of your offices.
Time of day restrictions
Some organisations choose to implement time of day restrictions to limit after hours use of computing resources. For example, if Alice has the ability to issue checks, her supervisors might want to prevent her from logging on to the system on evenings and weekends, when she might print a check without supervision.
This can be set using the “Logon Hours” tab in the users account in Active Directory.
6. Database Access Controls
Databases use several authentication and authorisation techniques to protect the sensitive data that they contain. Database authentication uses many of the same concepts that we’ve already talked about.
MS SQL Server
Microsoft SQL Server supports three different types of user authentication:
- SQL Server authentication: uses local database user accounts
- Windows Authentication: uses underlying server user accounts
- Mixed authentication: uses both SQL and Windows authentication
There are also two major techniques that you can use to control database authorisation
- Role Based Authorisation: This manages permissions through roles that are assigned to users by administrators. EG: one role may allow read-only access to the entire database. Another role might allow full administrative access while a third role might allow them limited administrative permissions necessary to create and manage backups.
- Account Based Authorisation: In this method you can also assign very granular access permissions to an individual account. EG: you might grant a user permission to select objects from one table and insert objects into another table.