Access Control
Access control is a security measure that gives administrators the ability to allow or deny access to resources and data. Access control follows authentication; once the user’s identity is established, access control measures of various types determine what actions the user can per- form on a given resource. Access control is synonymous with authorization.
Figure: Access control.
User Account Types
Windows®includes several built-in user accounts to provide you with initial access to the computer.
Administrator
Complete administrative access to the computer. This is the most powerful account on the computer and should be protected with a strong password. In the highest security applications, you might also consider renaming the account.
Power User
Power Users have more authorization than standard non-privileged users, but not as much as administrators. They may be able to install most software and updates, but will be restricted from making changes that affect security or the core operating system.
Standard User
This account enables users to use most of the computing software on the computer. However, higher permission is required to uninstall or install software and hardware. This account also limits the configuration of security settings, operational settings, and deletion of necessary system files. This may also be referred to as a non-privileged user.
Guest
Limited computer access to persons without a logon user account. By default, the Guest account is disabled when you install the operating system. You enable this account only if you want to permit users to log on as Guest.
Groups
Windows includes built-in group accounts that you can use to control basic system security.
Administrators
Perform all administrative tasks on the computer. Default Members: Administrator. If you create an account during installation of Windows, it is added to this group.
Guests
Perform any tasks for which the group has permissions. Default Members: Guest.
Power Users
Available on Windows®XP.
Run pre-Windows®2000 applications, modify some system-wide settings (such as the time), install some programs, and manage some local accounts.
Default Members: None
Users
Run applications and perform other day-to-day computer tasks. Perform any task for which the group has been granted permissions.
Default Members: None
Access Control Measures
There are three primary methods for managing access control.
Mandatory Access Control (MAC):
In MAC, access is controlled by comparing an object’s security designation and a user’s security clearance. Objects, such as files and other resources, are assigned security labels of varying levels, depending on the object’s sensitivity. Users are assigned a security level or clearance, and when they try to access an object, their clearance level must correspond to the object’s security level. If there is a match, the user can access the object; if there is no match, the user is denied access. MAC security labels can generally be changed only by a system administrator and not by the object’s owner. MAC is highly secure but is not widely implemented because it is not as easy to administer as other authorization methods.
Discretionary Access Control (DAC):
In DAC, access to each object is controlled on a customized basis based on a user’s identity. Objects are configured with an Access Control List (ACL) of subjects (users or other entities) who are allowed access to them. An administrator has the discretion to place the user on the list or not, and to configure a particular level of access. If a user is on the list, the user is granted access at the assigned level; if the user is not on the list, access is denied. Unlike MAC, in a DAC authorization scheme, object owners can generally modify their objects’ access control lists.
Role-based Access Control (RBAC):
In RBAC, users are assigned to pre-defined roles, and network objects are configured to allow access only to specific roles. Roles are created independently of user accounts. Access is controlled based on a user’s assigned role. A user might have more than one role assigned to him at one time or might switch from one role to another over the course of his employment. An administrator can assign to a role only those privileges users in the role need to complete their work.
Classifications
Security classification refers to the levels of security and access to data. The military and government use a type of MAC access control to secure data. The privilege classifications typically used are “top secret,” “secret,” “confidential,” and “unclassified.”
Role Set-Based Access Control
Another form of access control is called Role Set-Based Access Control (RSBAC). In this system, privileges are determined by roles, but the roles are dynamically assigned at the time access is requested, based on policies and rules determined by the administrator. You might see this system referred to as Rule-Based Access Control; do not confuse it with Role-Based Access Control, although both are abbreviated RBAC.
——————— Thanks