Page 730 - StudyBook.pdf
P. 730
714 Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery
another Web server will remedy the problem. However, if the escalation had not
been monitored, the administrator would not have known this additional server
was need until after problems occurred.
MAC/DAC/RBAC
Chapter 1 of this book discussed several methods of access control including
Mandatory Access Control (MAC), Discretionary Access Control (DAC), and
Role-Based Access Control (RBAC). Each of these may be used in various OSes
to provide access to systems and resources. It is important to understand them for
the Security+ exam, thus, the following sections review and expand on the earlier
discussion.
MAC is the only method of the three that is considered to be a military
strength access control.With MAC, every account and object is associated with
groups and roles that control their level of security and access.These allow adminis-
trators to control the privileges associated with an account, and what level of secu-
rity is needed to access a particular object. For example, a user in Sales needs access
to print to a color laser printer in his or her branch office. Because the adminis-
trator does not want everyone to use the printer, they have set up security for the
printer so that guests in Sales and people from other departments cannot print to
it.To do this, they set up security on the printer so only the users associated with
the Sales role and Users group can print to it. By associating the user with these
labels, they give the user access to print to the printer.Without both of the labels,
the user would be unable to do so.This example shows that MAC provides a gran-
ular level of security, allowing administrators to specifically control who has access
to resources and data.
Although DAC is less stringent than MAC, it also provides access on the basis of
users and groups. However, DAC allows access to data to be granted or denied at
the discretion of the owner of the data. For example, if a user creates a file, they have
ownership of it. Being the owner, they could then give anyone else access to it. In
secure environments, this can be a major problem, as access can be acquired on the
basis of friendship with the file’s owner, rather than an actual need for access.
RBAC involves users being associated with different roles to obtain access to
resources and data.A network administrator creates the role with certain privileges
and associates users with it. For example, a dentist’s office uses RBAC as a method
of access. Roles may be created for the dentist, receptionist, and dental assistant.The
receptionist would need to view billing information and recommendations on
when the patient should return for the next visit, but would not need to view clin-
www.syngress.com
