•PrincipleofNeedtoKnow-Usersshouldonlyhaveaccesstoinformationthattheyabsolutelyneedtoknowtodotheirjobs.TypesofAccessControlSystems•MandatoryAccessControl(MAC):Rule-basedaccesswhereauthorizationtouseanobjectdependsonlabelsindicatingtherelativesecurityclearanceofasubject.•DiscretionaryAccessControl(DAC):SubjectshaveauthoritytostatewhichobjectsareaccessiblethroughtheuseofACLs.Thelevelofaccessisdependentontheidentityofthesubject.•Non-DiscretionaryAccessControl(NDAC):Anadministratordecideswhichsubjectshaveaccesstocertainobjectsbasedonanorganization-widesecuritypolicy.Theycanberole-basedortask-basedinnature.•Lattice-basedAccessControl(LBAC):Anadministratorspecifiestheboundariesofauthorityforeachsubjectandusesthemtodeterminepermissions.Thisisatypeofnon-discretionaryaccesscontrol.•CentralizedAccessControl(CAC):Authenticationandauthorizationhasasinglepointofentry.TherearethreecommontypesofCACs.4RemoteAuthenticationDial-InUserService(RADIUS)4TerminalAccessControllerAccessSystem(TACAS)4ActiveDirectory•DecentralizedAccessControlSystems(DACS):AseriesofdiverseACSslocatedthroughoutanenterpriseandbuiltintoothersystems,notrequiringdedicatedhardwareorsoftware.Kerberosisanysoftwareusedonanetworktoestablishauser’sidentity.Ithasthreecomponents:aKeyDistributionCenter(KDC),anAuthenticationService(AS)andaTicketGrantingService(TGS).KerberosAuthenticationfollowssixsteps:1.ClientcontactsASontheKDCandrequestsaTGT.2.ASsendsclientaTGTencryptedwithTGSkey.3.ClientsendsmessagetoTGSwitharequestforauthenticationtoaservice:theTGTobtainedfromASandtheauthenticatorencryptedwithsessionkeyfromStep2.4.TGTsendsclientasessionticketencryptedwithapplicationserver’skeyandsessionkey.5.Clientsendssessiontickettoapplicationserveralongwithanauthenticatorencryptedwithapplicationserversessionkey.6.Applicationserververifiessessionticketandgrantsaccess.Therearethreemainauthenticationtechniques:1.WhatYouKnow:Passwordsorpassphrases.2.WhatYouHave:Accesstokens,physicalkeys,orIDCards.3.WhatYouAre:Biometricsinclud...
