Académique Documents
Professionnel Documents
Culture Documents
• Active Directory uses the following two objects to represent the physical structure of the
network.
• A site
– AD site is simply a physical location where DCs are placed and group policies can be
applied
• A subnet
• Each domain controller contains a full replica of the objects that make up the domain and is
responsible for the following functions:
– Storing a copy of the domain data and replicating changes to that data to all other
domain controllers throughout the domain
– Providing data search and retrieval functions for users attempting to locate objects in
the directory
– Providing authentication and authorization services for users who log on to the domain
and attempt to access network resources
– Sites and subnets are used to manage Active Directory replication between locations.
– All Active Directory sites contain servers and site links (the connection between two
sites that allows replication to occur).
– Site links are used by Active Directory to build the most efficient replication topology.
– A site differs from a domain in that it represents the physical structure of your network,
while a domain represents the logical structure of your organization.
– Clients are assigned to sites dynamically according to their Internet Protocol (IP) address
and subnet mask.
– Domain controllers are assigned to sites according to the location of their associated
server object in Active Directory.
Access Control
• Access control is a system which enables an authority to control access to areas and resources
in a given physical facility or computer-based information system
• “The prevention of unauthorized use of a resource, including the prevention of use of a resource
in an unauthorized manner“
Access Controls: The security features that control how users and systems communicate and
interact with one another.
Subject: An active entity that requests access to an object or the data in an object
Identification
Authentication
Authorization
Identification
Authentication
Authorization
Determines that the proven identity has some set of characteristics associated with it
Requires you to provide a password or some other data that you know.
Examples:
Also called token-based authentication, is authentication based on something a user has in their
possession.
This is the most expensive and least accepted, but is generally considered to be the most secure
form of authentication.
Voice recognition
Facial scans
Fingerprints
Hand topology
Palm scans
Type I Error (false negative): When a biometric system rejects an authorized individual.
Type II Error (false positive): When a biometric system accepts an individual who should have
been rejected. Most dangerous error and most important to avoid.
Crossover Error Rate (CER): Rating stated as a percentage and represents the point at which the
false rejection rate equals the false acceptance rate.
Authentication Method
Strong
o Requires two or more methods, but they can be of the same type.
One-factor
o Uses credentials of only one type, but may require multiple methods within the same
type
Mutual
o Requires that both parties authenticate with each other before beginning
communications.
Discretionary
Mandatory
A system that uses discretionary access control allows the owner of the resource to
specify which subjects can access which resources.
each entry specifies access rights of the specified subject to that object
Mandatory Access Control (MAC)
Access control is based on a security labeling system. Users have security clearances
and resources have security labels that contain data classifications.
Higher class users may grant their privileges to other lower class users without owner
notification
Non-Discretionary (Role Based) Access Control Models
Role Based Access Control (RBAC) uses a centrally administered set of controls to
determine how subjects and objects interact.
Also called the Rule-Based Role-Based Access Control (RB-RBAC) model or automated
provisioning
Can dynamically assign roles to subjects based on a set of rules defined by a custodian
Each resource object contains a set of access properties based on the rules
• Rule Based Access Control is often used for managing user access to one or more systems
Account Restrictions
• Account expiration
– Orphaned accounts are user accounts that remain active after an employee has left an
organization
• Password
– A secret combination of letters and numbers that only the user knows
• Attackers try to steal the file of hashed passwords and then break the
hashed passwords offline
– Dictionary attack
– Rainbow tables
• Hardware locks
– Preset lock
• The easiest to use because it requires only a key for unlocking the door
from the outside
• Automatically locks behind the person, unless it has been set to remain
unlocked
– Deadbolt lock
• Extends a solid metal bar into the door frame for extra security
• Requires that the key be used to both open and lock the door
– Master keys should not have any marks identifying them as masters
– Set up a procedure to monitor the use of all locks and keys and update the
procedure as necessary
– When making duplicates of master keys, mark them “Do Not Duplicate,” and
wipe out the manufacturer’s serial numbers to keep duplicates from being
ordered
– Cipher lock
• Combination locks that use buttons that must be pushed in the proper
sequence to open the door
– Cipher locks also keep a record of when the door was opened and by which code
• Basic models can cost several hundred dollars while advanced models can
be even more expensive
– Tailgate sensor
• Use multiple infrared beams that are aimed across a doorway and
positioned so that as a person walks through the doorway
• Some beams are activated and then other beams are activated a
short time later
• Can detect if a second person walks through the beam array immediately
behind (“tailgates”) the first person
• Physical tokens
• ID badge
– Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags
• Can be read by an RFID transceiver as the user walks through the door
with the badge in her pocket
• Mantrap
– A security device that monitors and controls two interlocking doors to a small
room (a vestibule) that separates a nonsecured area from a secured area
• Mantraps are used at high-security areas where only authorized persons are allowed to
enter
– Such as sensitive data processing areas, cash handling areas, critical research
labs, security control rooms, and automated airline passenger entry portals
– Using video cameras to transmit a signal to a specific and limited set of receivers
• Some CCTV cameras are fixed in a single position pointed at a door or a hallway
• Other cameras resemble a small dome and allow the security technician to move the
camera 360 degrees for a full panoramic view
– A record or list of individuals who entered a secure area, the time that they
entered, and the time they left the area
– Today, door access systems and physical tokens can generate electronic log
documents
Access control best practices take into consideration the following security principles:
• Separation of duties
• Job rotation
– Instead of one person having sole responsibility for a function, individuals are
periodically moved from one job responsibility to another
• Least privilege
– Each user should be given only the minimal amount of privileges necessary to
perform his or her job function
• Implicit deny