Data-Protection Mechanisms : Data-Protection Mechanisms Chapter 7
Week 10 1
Overview : Overview Access control List
Rights Management
Encryption 2
authentication : authentication Identify a user and bind that user to an identity within a computer system
Held within SAM (security accounts manager)
Held within AD (active directory) 3
Authorization : Authorization The process of identifying whether a computer system has the right to perform some task
Implemented through ACL (access control list) 4
Security Groups : Security Groups Scope
Local
Domain
Global
universal 5
Access Control Lists : Access Control Lists Mandatory ACLs
Discretionary ACLs
System ACLs
Security descriptors (SD) 6
Inheritance behavior flags : Inheritance behavior flags SE_DACL_PROTECTED
SE_DACL_AUTO_INHERITED
SE_DACL_AUTO_INHERIT_REQ 7
ACE STrings : ACE STrings Ace_type
Ace_flags
Rights
Object_guid
Inherit_object_guid
account)_sid 8
File Access controls : File Access controls Can you access the resource over the network?
Can you map a drive letter?
Can you get to the folder containing the file?
Do you have access to the folder containing the file?
Finally, do you have access to the file itself? 9
Access Control Best Practices : Access Control Best Practices Assign the access for the minimum number of things needed
Include share and application permissions in planning
Assign permission to groups rather than users whenever possible
Use the “deny” permission with caution
Manage at the highest “inheritance” level where possible 10
RMS Workflow : RMS Workflow A producer receives a client licensor certificate
The producer defines a set of usage rights and rules
The producer distributes the file
Application verifies the identify of the user
Application uses the consumer’s private ket to decrypt the blob 11
RMS Components : RMS Components Composed of identity and authentication mechanism (Active Directory)
xRML certificate server
Client component and key “lockbox”
Rights-aware applications 12