Access control refers to controlling access to resources on a computer or network system. Without it, everyone would be able to access everything. Employees would be able to view their manager’s salary information, read each other’s email, and malicious individuals such as competitors would be able to dial into your remote access server and read your company’s strategic plans for the next five years. With access controls in place, users are identified, authenticated, and authorized before they can actually access resources or perform operations on a system.
In other words, access controls control which objects a subject can access. These are two key terms used in access control models and technologies. A subject is someone or something, for example, users, applications, or system process, to which access to an object is granted or denied. Examples of objects are files, printers, applications, and system processes.
Access Control Models
Access control models provide a model for developers who need to implement access control functionality in their software and devices. Instead of having to reinvent the wheel for every system and design a complex access control system, developers can write a system based on existing well thought-out models. For the Security+ exam, there are three different types of access control models, which you need to be able to explain and differentiate: MAC, DAC, and RBAC.
Discretionary Access Control (DAC)
A widely used type of access control model is Discretionary Access Control (DAC). In a DAC model, a subject has complete control over the objects that it owns and the programs that it executes. For example, user Alice owns a file called mywork.doc. She allows mywork.doc to be read by Bob and members of the Sales group and allows no one else access to it. The better implementations of DAC provide a method to grant access on a need-to-know basis by denying access to everyone by default. Access permissions must be assigned explicitly to those who need access.
Programs executed by a user will have the same permissions as the user who is executing it. This implies that the security of the system depends on the applications that are being executed and, therefore, when a security breach in an application takes place, it can affect all the objects to which the user has access. This makes DAC very vulnerable to Trojan Horses. For example, suppose subject Alice has read and write access to object file1.doc. Charlie, a malicious attacker, could write a program that creates a new object file2.doc when executed. The program would grant Alice write access and Charlie read access. Charlie can disguise the program as legitimate software and send it to Alice. When Alice runs the program, it will have the same privileges as Alice. It could copy the content from file1.doc to file2.doc, effectively exposing the content of file1.doc to Charlie. Imagine an administrator executing the program; the attacker could obtain maximum privileges, jeopardizing the security of the entire system.
Mandatory Access Control (MAC)
In Mandatory Access Control (MAC) models, the administrator manages access controls. The administrator defines a policy, which users cannot modify. This policy indicates which subject has access to which object. This access control model can increase the level of security, because it is based on a policy that does not allow any operation not explicitly authorized by an administrator. The MAC model is developed for and implemented in systems in which confidentiality has the highest priority, such as in the military. Subjects receive a clearance label and objects receive a classification label, also referred to as security levels.
In the original MAC model according to Bell and LaPadula, access rights were granted according to numeric access levels of subjects to objects that were labeled an access level. For example, an administrator has access level 65535, Alice level 100, and Guest level 1. There are two files, file1.doc has a level of 2, file2.doc a level of 200. Alice can access only file1, Guests can neither access file1 and file2, and the administrator can access both files. The access level of the users has to be equal or higher than the object they want to access. The Bell and LaPadula model was later expanded to what is also known as Multi-Level Security (MLS). MLS typically used in military environments, implements an extra security layer for each object by using labels (i.e. "top secret", "secret", "confidential", and "unclassified"). Only users located in the same layer, or a higher layer, can access the objects. This works on a “need to know basis”, known as the principal of least privileges; users can only access the objects they need to be able to do their job. Additionally, subjects cannot write down, which means they cannot write to object or create new objects with a lower security label than itself. This prevents subject from sharing secrets with subject with a lower security label, hence keeps information confidential.
Role Based Access Control (RBAC)
The third main type of access control mode is Role Based Access Control. In RBAC models, an administrator defines a series of roles and assigns them to subjects. Different roles can exist for system processes and ordinary users. Objects are set to be a certain type, to which subjects with a certain role have access. This can save an administrator from the tedious job of defining permissions per user.
Rule-Based Access Control model, which, to confuse matters a bit, is sometimes referred to as Rule-Based Role-Based Access Control (RB-RBAC). It includes mechanisms to dynamically assign roles to subjects based on their attributes and a set of rules defined by a security policy. For example, you are a subject on one network and you want access to objects in another network. The other network is on the other side of a router configured with access lists. The router can assign a certain role to you, based on your network address or protocol, which will determine whether you will be granted access or not.
Modern operating systems use a combination of the described access control models. Although Windows NT doesn't actually use the RBAC model, it simulates it by using built-in groups, such as Power Users, Server Operators and Backup Operators. An administrator can add additional roles typically based on job functions and departments. Users with the appropriate permissions can share resources such as files and printers, and give access to other users and/or groups at their own "discretion", according to the DAC model.