background preloader

Access Control

Facebook Twitter

DAP (software) Dap is a command line driven program. Using its internal commands, one can perform tests on means and percentiles, correlation, ANOVA, categorical analysis, linear and logistic regression analysis and non parametric statistics. It can also be used to create scatterplots, line graphs and histograms of data. It has been designed so as to cope with very large data sets; even when the size of the data exceeds the size of the computer's memory. Lightweight Directory Access Protocol.

The Lightweight Directory Access Protocol (LDAP; /ˈɛldæp/) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.[2] As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory.

Similarly, a telephone directory is a list of subscribers with an address and a phone number. LDAP is specified in a series of Internet Engineering Task Force (IETF) Standard Track publications called Request for Comments (RFCs), using the description language ASN.1. A common use of LDAP is to provide a central place to store usernames and passwords. History[edit] Protocol overview[edit] scope. Directory service. A directory service is a software system that stores, organizes, and provides access to information in a computer operating system's directory. In software engineering, a directory is a map between names and values. It allows the lookup of named values, similar to a dictionary.

As a word in a dictionary may have multiple definitions, a directory service can associate a name with multiple, different pieces of information. Likewise, as a word may have different parts of speech and different definitions, a name in a directory may have many different types of data. Introduction[edit] A directory service called a naming service, maps the names of network resources to their respective network addresses. A directory service defines the namespace for the network. Replication and Distribution have very distinct meanings in the design and management of a directory service. Comparison with relational databases[edit] Implementations of directory services[edit] LDAP implementations[edit] Unix OSs[edit]

TACACS. Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server. The original TACACS protocol, which dates back to 1984, was used for communicating with an authentication server, common in older UNIX networks; it spawned related protocols: Extended TACACS (XTACACS) is a proprietary extension to TACACS introduced by Cisco Systems in 1990 without backwards compatibility to the original protocol. TACACS and XTACACS both allow a remote access server to communicate with an authentication server in order to determine if the user has access to the network.Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. History[edit] Technical descriptions[edit] TACACS[edit] TACACS+[edit] Implementations[edit] See also[edit] References[edit]

RADIUS. Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc. in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force (IETF) standards.[1] Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services.

These networks may incorporate modems, DSL, access points, VPNs, network ports, web servers, etc.[2] RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. The RADIUS server is usually a background process running on a UNIX or Microsoft Windows server.[3] Protocol components[edit] Authentication and authorization[edit] What is AAA server (authentication, authorization, and accounting)? - Definition from Kerberos (protocol) Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication. [1] Kerberos uses UDP port 88 by default. MIT developed Kerberos to protect network services provided by Project Athena. The protocol is based on the earlier Needham-Schroeder Symmetric Key Protocol.

The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, which was a monstrous three-headed guard dog of Hades. Several versions of the protocol exist; versions 1–3 occurred only internally at MIT. Version 5, designed by John Kohl and Clifford Neuman, appeared as RFC 1510 in 1993 (made obsolete by RFC 4120 in 2005), with the intention of overcoming the limitations and security problems of version 4. MIT makes an implementation of Kerberos freely available, under copyright permissions similar to those used for BSD.

In 2007, MIT formed the Kerberos Consortium to foster continued development. RFCs. Group Policy. Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A version of Group Policy called Local Group Policy ("LGPO" or "LocalGPO") also allows Group Policy Object management on standalone and non-domain computers.[1][2] Operation[edit] Group Policy, in part, controls what users can and cannot do on a computer system, for example: to enforce a password complexity policy that prevents users from choosing an overly simple password, to allow or prevent unidentified users from remote computers to connect to a network share, to block access to the Windows Task Manager or to restrict access to certain folders.

As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users. Enforcement[edit] File system permissions. Operating system variations[edit] Unix-like and otherwise POSIX-compliant systems, including Linux-based systems and all Mac OS X versions, have a simple system for managing individual file permissions, which in this article are called "traditional Unix permissions". Most of these systems also support some kind of access control lists, either proprietary (old HP-UX ACLs, for example), or POSIX.1e ACLs, based on an early POSIX draft that was abandoned, or NFSv4 ACLs, which are part of the NFSv4 standard. Microsoft and IBM DOS variants (including MS-DOS, PC DOS, Windows 95, Windows 98, Windows 98 SE, and Windows Me) do not have permissions, only file attributes. There is a read-only attribute (R), which can be set or unset on a file by any user or program, and therefore does not prevent him/her from changing/deleting the file.

There is no permission in these systems which would prevent a user from reading a file. OpenVMS (a.k.a. Linux supports POSIX.1e ACLs. Classes[edit] Permissions[edit] Set NTFS Permissions on Objects in Microsoft Windows 8. About Setting NTFS Permissions on Objects In Windows 8, when any volume is formatted using NTFS file system, it allows administrators to protect the information that the volume contains using NTFS permissions.

When NTFS permissions are set on the objects, only the users who have been granted appropriate rights are allowed to access the objects. Likewise, if names of the users are not listed in NTFS permissions list, implicit deny permission is automatically applied. Moreover, in case administrators want to restrict a particular user or group permanently from accessing a particular object, explicit deny permission can be set for that user or group. Implicit Deny – Implicit deny permissions on an object are automatically applied for users and groups if their names have not been added in the NTFS permissions list. By default administrators are allowed to set or remove NTFS permissions on all objects on the computer.

Setting NTFS Permissions on Objects. Principle of least privilege. Details[edit] The principle means giving a user account only those privileges which are essential to that user's work. For example, a backup user does not need to install software: hence, the backup user has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account (that is, a superuser) only when the situation absolutely demands it. The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (fault tolerance) and malicious behavior (computer security). Benefits of the principle include: Better system stability.

In practice, true least privilege is neither definable nor possible to enforce. History[edit] The original formulation is from Jerome Saltzer:[6] Peter J. Notes[edit] Job rotation. Job rotation is a management technique[1] that assigns trainees to various structures and departments over a period of a few years.[2] Surveys show that an increasing number of companies are using job rotation to train employees (see Coyne 2011 below). There are both positive and negative effects involved with job rotation that need to be taken into consideration when a company makes the decision to use[3] this technique. Organizations that use job rotation tend to be successful innovative companies and organizations with a growth and development agenda. Job rotation is also a control to detect errors and frauds. It reduces the risk of collusion between individuals. For a full critical literature review of job rotation research, grey literature, and new evidence based models of job rotation see Coyne, P. (2011) below.

Job Rotation is frequently used with new college graduates who are just entering the workforce. KnowledgeabilitiesInterests Positive effects[edit] Conclusion[edit] Black, S. Separation of duties. By Alungile Joki ct2015-1709 My research on separation of duties General description[edit] Separation of duties is a key concept of internal controls. Increased protection from fraud and errors must be balanced with the increased cost/effort required. In essence, SoD implements an appropriate level of checks and balances upon the activities of individuals.

Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. Principles[edit] Principally several approaches are optionally viable as partially or entirely different paradigms: sequential separation (two signatures principle)individual separation (four eyes principle)spatial separation (separate action in separate locations)factorial separation (several factors contribute to completion) Auxiliary Patterns[edit] See also[edit] Separation of powers. Access control. A sailor allows a driver to enter a military base. In the fields of physical security and information security, access control is the selective restriction of access to a place or other resource.[1] The act of accessing may mean consuming, entering, or using.

Permission to access a resource is called authorization. Physical security[edit] Physical security access control with a hand geometry scanner Example of fob based access control using an ACT reader Physical access control is a matter of who, where, and when. Electronic access control uses computers to solve the limitations of mechanical locks and keys. Access control system operation[edit] When a credential is presented to a reader, the reader sends the credential’s information, usually a number, to a control panel, a highly reliable processor.

The above description illustrates a single factor transaction. There are three types (factors) of authenticating information:[2] Credential[edit] Access control system components[edit] 1. 2. 3. 4.