Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models - 03_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Logical Implementation of DAC, MAC, O DAC Implementation: Windows Logical implementation of access control is performed File Permissions using access control lists (ACLs), group policies, passwords, and account restrictions | ® Oums/Propaties Gererdl OS X Do you want to allow this app to make changes to C\Demo Admrestrator your To change permiasions. cick Ede Permussons for SYSTEM Program name: EaseUS Data Recovery Wizard Verfied publisher. CHENGDU YIWO Tech Development Co., Ltd. File ongin: Hard drrve on this computer thei Ed MNew Ful contral v Mogty v Fead§ execite Lt folder corterts Read v v v | vize T o =] hange when Customize £2 Admratraton CND Admnatraton) PC S Previcus Versors & Mot matn@CND com) User Account Contrel ) Securty Growp or uter names ‘ 0 Shamng Otectname. MAC Implementation: The User Account Control (UAC) tool of Windows and RBAC For v Cermizsons of 3 anced setngs Dery “I o v ) notdications appear Copyright © by Logical Implementation of DAC, MAC, L All Rights Reserved. and RBAC Reproductionis Strictly Prohibited (Cont’d) RBAC Implementation: Just Enough Administration (JEA) st RBAC Implementation:Windows Admin Center (WAC) Copyright © by Logical Implementation of DAC, MIAC, L All Rights Reserved. Reproductions Strictly Prohibited and RBAC In the Windows operating system (0S), the User Account Control (UAC) feature implements the MAC security model. It restricts the installation of any application software only through administrator authorizations. In other words, users without administrative privileges are restricted to install any application on the system. Module 04 Page 459 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization. Exam 212-82 User Account Control X Program name: EaseUS Data Recovery Wizard Verified publisher: CHENGDU YIWO Tech Development Co. Ld. File origin: Haed drive on this computer Show detsls e Figure 4.3: Mac Implementation: The User Account Control tool of Windows OS Logical Implementation of DAC: Windows File Permissions In the Windows OS, DAC is implemented for assigning file permissions to specific groups/users. Permissions to access files and folders on a system, to access files that exist on an old account of a user, or to edit system files are all controlled using DAC. ~ Demo Properties General Sharing Object name: X Securly Previous Versions Customize C:\Demo Gr!_xp of user names: | SY EM & Madin (matin@CND com) 2 Administrator !l 82 Administrators (CND\Administrators) To change permissions, ciick Edt. Ede. Pemissions for SYSTEM Full control Figure 4.4: DAC Implementation: Windows File Permissions Logical Implementation of RBAC: Just Enough Administration (JEA) The Just Enough Administration (JEA) management framework of in the Windows OS implements RBAC to restrict the rights of IT administrators in remote PowerShell sessions. Using JEA a fine-grained access control can be implemented for non-administrators to run specific commands, scripts, and executables. Module 04 Page 460 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 B Adriritrpze Wndows Ponerihet 15 Fle » Ede View < Toohh | Debug Addoms o. Help ‘ » " &R - — - - &n e Unttied! pst*(Recovered) X € New-PiRo ‘ 11 7S 4 e & «Path NOUserAccess TeCagabr Ity i le. \CNOUserAccess RoleCapa ~Path CNOE £33 4 0 150 Y Teit-FiSessrononfigurationfile Stetsr0n g = Copy-1tes -Path Doma 1 (NDUsericcess C:\Wners\Administrator> : ! e PS «Path Reat c o. 2 JEARole. pare eMemiteler o ve M Ces Fat» A. " NOE~dpoint. psac erolle ~Destination 5% 4 DosainControlle): '\ B onduseraccess tenType 2.9%8 New-Pifens Con e CNOLserACcCess foleCapabilitien’ New-Pilessionlonfigurationiile s 2 14 New-1tem -0 Enter-PSSession 'Ci'\Progras L1900 ¢ ~ComputerNane Ci:\Users\Adeinistrator Files \Documsents» windowsPower Shell modules” ~-ToSess19n [Regrater -Pite Ssessron -Force rath « -Recurse -ToSession NOC Ssession Name -Force "CNDUserAccess” DomainComtrolle Cet -PSSessronlonfiguration ONDUserAccess 5.1 COND\alirce AccessA) lowed microsof t, powershell : NT AUTHORITY AccessAl : INTIRACTIVE AccensAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Us Jowed microsoft, powershel ]l. workflow : BUILTIN\Adwinistrators AccessAllowed, BUILTIN\Remote Masagement Users of t, powershel 132 (CRAR