access control

Basic composition : subject , object , control strategy ;

Access control model :
1. Autonomous access control (DAC):
characteristic : Authorized users can transfer their rights to others , Permission modification is performed by privileged users .linux,unix ,windows NT(windows
Series name of , include win 10 These releases ) They all take this form .

Permission information storage ( Access table ):
(1) Access control table (ACL): Take the object as the core , Then contact all subjects and their corresponding authorities to the object .
(2) Access control form (ACCL): Taking the subject as the core , List all its allowed objects and permissions .
(3) Access control matrix (ACM): Binary matrix expresses authority relation , There will be redundancy .

characteristic : Flexible data access , Allow free transfer of permissions , But at the same time, it will bring security problems , Low data protection .

2. mandatory access control (MAC):

More stringent rights management , Give subject and object a certain level of security , Each user according to their own security level , You will have all your own access , This permission is strictly linked to the security level , Transfer not allowed , It is also not allowed to change for a single user .

Read write permission instance :( Two strict mechanisms commonly used in the army )
(1) Write up , Read down : Effectively prevent information leakage to low security level , Protect confidentiality .
(2) Write down , Read up : Effectively prevent the lower level from tampering with information , Protect integrity .

3. Role based access control (RBAC):
Combining the two extremes ( Freedom and coercion ), A comprehensive model of design .
Users are no longer considered individually , It's organized into groups , And set the permissions of the object as roles , A role will have its own specific abilities , In this way, the user can obtain the permission in the way of role , Instead of getting permission directly .

such , That is, the flexibility of freedom is preserved , That is, users can take different roles to obtain different permissions , It also ensures the strictness of access , That is, the role is fixed , No free combination of characters , And role acquisition is controllable .
The administrator decides to obtain, add or delete roles , Not free access . This is RBAC and DAC The difference between .
Permissions are organized by roles , A role may obtain permissions at different security levels , So there is no concept of security level , Add roles on demand . This is RBAC and DAC The difference between .

Basic principles of access control model :
(1) Principle of least privilege : According to the minimum distribution of power required by the subject , Not much .
(2) Minimum leakage principle : During the exercise of authority , Minimize the information it gets .
(3) Multilevel security policy : Consider the level of information security , Avoid high-level information leaking to low-level subjects .

Example of system security management ——windows NT:
User authentication ——> encryption / access control ——> audit / Administration core : security policy
The main body of safety management includes : user , group , computer ( resources ), field .

Security services include two : security reference monitor SRM( In kernel mode ), Local security agency LSA( In user mode ). The former is the foundation , Be responsible for the authority control of the object , And LSA Cooperate to monitor access information , Keep the audit .

windows access control :
Composed of access token and security descriptor ;

SID: Security identifier assigned to each account or account group , It's the only one in the same system .SID The last bits of are relative identifiers RID,500 by administrator,501 by guest,RID from 1000 Start with a user account .

A privilege information generated from the account information read by the access token when the account is logged in , Is the ticket for the user to access the system . After that, the access to resources will be judged according to the token , To change the token , You need to log out .

The security descriptor is the property of the accessed object , Containing those who have SID and ACL, Divided into DACL and SACL, It indicates whether the permission and principal operations are recorded in the log .

windows Network management :
Active Directory AD: Network objects , Include users , computer , equipment , The server , field , department , Security policies are organized into different organizational units OU, It is equivalent to dividing objects into different groups according to their types , To record and manage .

Group Policy GP: For different OU, Specify different GP, Perform the corresponding security configuration . Registry is the database of system application software configuration .GP You can merge the primary configuration into a set merge implementation , In fact, it is to modify the registration form .GP Divided into AD
GP And local GP, The former is stored on the domain controller AD In the database of , The OU in , Implemented by domain administrator ; The latter is stored on the local computer , Acting on the machine , Implemented by local administrator . When the user logs in to AD Middle time ,AD
GP Override local GP, Because the former has high priority .

©2019-2020 Toolsou All rights reserved,
It's unexpected Python Cherry tree (turtle The gorgeous style of Library )Unity3D of UGUI Basics -- Three modes of canvas os Simple use of module computer network --- Basic concepts of computer network ( agreement , system )html Writing about cherry trees , Writing about cherry trees Some East 14 Pay change 16 salary , Sincerity or routine ?Unity-Demo Examples ✨ realization UI- Backpack equipment drag function 06【 Interpretation according to the frame 】 Data range filtering -- awesome java Four functional interfaces ( a key , simple )