Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models - 03_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician
Exam 212-82
Identification, Authentication, and Authorization
Logical Implementation of DAC, MAC,
O
DAC Implementation: Windows
Logical implementation of access control is performed
File Permissions
using access control lists (ACLs), group policies,
passwords, and account restrictions
| ® Oums/Propaties
Gererdl
OS
X
Do you want to allow this app to make
changes to
C\Demo
Admrestrator
your
To change permiasions. cick Ede
Permussons
for SYSTEM
Program name:
EaseUS Data Recovery Wizard
Verfied publisher. CHENGDU YIWO Tech Development Co.,
Ltd.
File ongin:
Hard drrve on this computer
thei
Ed
MNew
Ful contral
v
Mogty
v
Fead§ execite
Lt folder corterts
Read
v
v
v
| vize
T
o =]
hange when
Customize
£2 Admratraton CND Admnatraton)
PC
S
Previcus Versors
& Mot matn@CND com)
User Account Contrel
)
Securty
Growp
or uter names
‘
0
Shamng
Otectname.
MAC Implementation: The User Account
Control (UAC) tool of Windows
and RBAC
For
v
Cermizsons
of 3 anced setngs
Dery
“I
o
v
)
notdications appear
Copyright © by
Logical Implementation of DAC, MAC,
L All Rights Reserved.
and RBAC
Reproductionis Strictly Prohibited
(Cont’d)
RBAC Implementation: Just Enough Administration (JEA)
st
RBAC Implementation:Windows Admin Center (WAC)
Copyright © by
Logical Implementation of DAC,
MIAC,
L All Rights Reserved. Reproductions Strictly Prohibited
and RBAC
In the Windows operating system (0S), the User Account Control (UAC) feature implements the
MAC security model. It restricts the installation of any application software only through
administrator authorizations. In other words, users without administrative privileges are
restricted to install any application on the system.
Module 04 Page 459
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Identification, Authentication, and Authorization.
Exam 212-82
User Account Control
X
Program name:
EaseUS Data Recovery Wizard
Verified publisher: CHENGDU YIWO Tech Development Co.
Ld.
File origin:
Haed drive on this computer
Show detsls
e
Figure 4.3: Mac Implementation: The User Account Control tool of Windows OS
Logical Implementation of DAC: Windows File Permissions
In the Windows OS, DAC is implemented for assigning file permissions to specific groups/users.
Permissions to access files and folders on a system, to access files that exist on an old account
of a user, or to edit system files are all controlled using DAC.
~
Demo Properties
General
Sharing
Object name:
X
Securly Previous Versions
Customize
C:\Demo
Gr!_xp of user names:
|
SY
EM
& Madin (matin@CND com)
2 Administrator
!l 82 Administrators (CND\Administrators)
To change permissions,
ciick Edt.
Ede.
Pemissions for SYSTEM
Full control
Figure 4.4: DAC Implementation: Windows File Permissions
Logical Implementation of RBAC: Just Enough Administration (JEA)
The Just Enough Administration (JEA) management framework of in the Windows OS
implements RBAC to restrict the rights of IT administrators in remote PowerShell sessions.
Using JEA a fine-grained
access
control
can
be
implemented
for non-administrators
to run
specific commands, scripts, and executables.
Module 04 Page 460
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Identification, Authentication, and Authorization
Exam 212-82
drursrsrze Wndows
Wondoat Ponerihet
Sonerinet 15
146
B Adriritrpze
Fle
»
Ed2
Ede
View
Toohs
Toohh
ted
< |
Detug
Debug
Addoms
oO.
Help
90 ‘. »0
o0 "
&0R
&-
—
-
BOD
-
n
&,
&
e
ps!1*(Recovered) X
Unttied! pst*(Recovered)
4€
‘
New-1tem
1
&
«Path
NOUserAccess
New-PSR0
TeCagabr
1Nty
le
New-PiRo
TeCagabr
Ity
i1 le
e
e
\ RoleCapa
RoleCapabi
~Path
CNOLserAccess
CNOLserACcCess. \CNOUserAccess
CNOLserAccess BfoleCapabilitien’
oC apab
1tres’
4
New-Pilessionlonfigurationiile
New-PiSessionlonfigurationfile
Y
Test-Pifessroonfigurationfile
Teit-FiSessrononfigurationfile
s
150
Tee
11
2
14
7S
CNOE
CNCE
Stetsr0n
nilg
g
Copy-1tes
-Path
Con
4
InvokeCommand
Enter-PSSessron
~Destination
~Destimation
CNCEndpoint.pssc5%
Ss1ession
~ComputerName
'\ B10
2 apald
JEARole.
JiAiole.
pare
parc.
oerMce
M
Ces
Reat
festricleflenotelerver
eMemiteler
ve
'Ci'\Progras
‘Ci\Progras
-Destimation
-0
L1900
~ScriptBlock
DumainControlle
Enter-PSSession
Enter-PSS%ession
e
o
c
Fat»
~Path
A.*
".
O sdpoint.., psac
ps
NOE~dpoint
trolle
erolle
(NDUsericcess
Musericcess
-Seision
C:\Wners\Administrator>
Wers\Administrator>
DosainControlle):
DomainControlle):
«Path
Domay 1
Doma
tenType
onduseraccess
cnduseraccess
~SessionType
£33 4 0
e
2.9%8
2.988
S%e3310n
New-Pifens
=
e
1itves
¢¢
Files \windowsPower
windowsPower
Shell
Shell '\ modules”
~ToSessr10n
~-ToSess19n
Ssessron
Ssessron
-Force
-Force
[Regrater -Pite
(Regiater-PiSessronConfiguration
Confirgerationnane
~ComputerNane
\Documsents»
PS Ci:\Users\Adeinistrator
Ci\Users\Adwinistrator\Documents>
(NDUserAccess
rath
Path
«¢:
-Recurse
~Recurse
-ToSession
(ND(~d
NOC
33C
Ssession
Name
~Mame
-Force
~Force
"CNDUserAccess”
DomainComtrolle
DomainControlle
Cet
Get-PSSessionConfiguration
-PSSessronlonfiguration
: ONDUserAccess
! 5.1
1
COND\alirce
O\alice
AccessA)
AccessAl
lowed
lowed
mcrosof
power shell
microsof t, powershell
< 3
:
NT AUTHORITY\INTIRACTIVE
AUTHORITY
INTIRACTIVE
AccessAl Jowed
AccessAl
Jowed
AccensAllowed,
BUILTIN\Administrators
BUILTIN\Admimistrators
AccessAllowed,
BUILTIN\Remote
Management
Us
Us
!: microsoft.
microsoft, powershell,
powershel ]l. workflow
workflow
Permission
ane
PSVersion
ratory
: BUILTIN\Adwinistrators
AccessAllowed,
BUILTIN\Remote
Masagement
Masagement
Users
Users
AccensAllowed
of t, powershel 132
ST artupSort
Wn71Cad
(CRAR