Best Controls
- Eliminate anonymous access
- Limit admin accounts
- Lock account for unsuccessful logins
- Disable unused accounts
- Remove old accounts
- Disable unneeded system features
- Change default passwords
- Use non descriptive Login IDs
- Force regular password changes
- Audit access
- Collect and protect logs
- Limit ‘Privileged’ Accounts
Access Controls
- Discretionary Access Control (DAC)
- Owner based
- Owner is typically the creator of the file
- Owner decides who gets access to file
- Owner can give access to file without administrator
- Once given access, user can give access to other users
- Mandatory Access Control (MAC)
- System Owner based
- Very strict
- Utilize labels
- Objects are marked with classification level
- Subjects have clearance
- Categories used to enforce Need to Know
- Sensitivity indicated via confidentiality level
- Lattice Based
- Feature of several types
- Not an access control of and by itself
- Access Control Matrix
- Capability table
- Each row is attached to a subject
- Each column is an object
- Rule Based – may be abbreviated RuBAC, may sometimes be RBAC
- Think Firewall
- Access control list
- Role Based (RBAC)
- Typically group based
- Group function
- Subject can be part of more than one role
- User ‘inherents’ rights of group
- Content Based
- Based on content being accessed
- Not implemented with OS
- Implemented with App/Database
- Permissions can be dynamically changed to avoid conflict of interest (Brewer Nash)
- Constrained
- System provides little user functionality
- Example – Linux restricted shell
- ATM
- Time Based
- Time of day
- Day of week