Page 57 - DCAP516_COMPUTER_SECURITY
P. 57
Unit 5: Access Control Mechanism
4. Modern access control are more commonly referred to in the industry as ………………….. Notes
5. ………………………….” is the ability to permit or deny the use of a particular resource by
a particular entity.
6. …………………….. refers to the ability to add, delete, and modify user accounts and user
account privileges.
5.3 Access Control Lists
All objects in the Windows NT environment can have an Access Control List (ACL). An ACL
defines a set of users and groups and the kind of access each has on the object. The most visible
and important ACLs are those that protect all elements in the Windows NT native file system
format (NTFS) and the Windows NT registry. These house all software that enforces Windows
NT security and ACLs are, therefore, important in protecting the system’s integrity. (Windows
NT sometimes uses encryption for additional protection, for example, its user accounts and
other key security data.)
Users have full control of ACLs on the files, directories and other objects they create and use
simple window interfaces to manage them. They also can specify the ACL to be given by default
to all newly created objects in the directories they manage.
ACLs protect other objects, such as file shares and printers and most of the BackOffice applications
extend the ACL model to data they manage. It is often necessary for an application to have a
customized ACL format for the objects it manages. In both cases the purpose and the intent are
the same.
Central Administration and Roles
Windows NT uses a simple administrative hierarchy. Full administrators, members of the local
administrators group on each computer, have complete power over that computer. Windows
NT Server includes several operator roles each of limited power, for example, account operators
who manage user accounts and server operators who look after day-to-day server operations.
Administration is based simply on membership in certain groups so you can devise network-
wide administrative roles flexibly. For example, you can include domain administrators from
the local domain (or remote domains) to the administrators who control LAN workstations.
One also can create a group for accounts that administer only user workstations and not the
more critical network servers.
Remote access Service and Point-to-point Tunneling Protocol
Remote Access Service (RAS) allows remote users to dial in to an RAS server and use the
resources of its network in directly connected. In its simplest mode, users logging on to Windows
NT remotely simply by checking a small box on their logon window that automatically establishes
the RAS connection and authenticates the session. RAS uses the Windows NT standard single-
logon technique, and users can log on under their office account. As a whole, working from the
road is identical to working from one’s office and it is secure.
Administrators designate which accounts can use RAS. They also can set up RAS to automatically
“call back” a specific number for each account. This ensures that a user’s remote access comes
only from a specific phone number. RAS uses the Windows NT standard “challenge/response”
logon, which prevents passwords from passing over the communication link. RAS clients and
servers can require that all communication be encrypted, currently by the 40-bit or 128-bit RC4
cipher. The user also can limit remote access to the resources of the RAS server itself.
LOVELY PROFESSIONAL UNIVERSITY 51
