Home-Good to know-Standard for managing access rights to corporate file information resources. Implementation of a mechanism for differentiating access rights to the admin part

Standard for managing access rights to corporate file information resources. Implementation of a mechanism for differentiating access rights to the admin part


In the vastness of Russia, many firms and small enterprises do not have their own staff system administrator on an ongoing basis or coming from time to time. The company is growing and sooner or later one shared folder on the network, where everyone can do whatever they want, becomes not enough. Access control is required for different users or user groups on the MS Windows platform. Linux users and experienced admins, please do not read the article.

Most best option- hire an experienced administrator and think about buying a server. Experienced admin he will decide on the spot whether to raise MS Windows Server with Active Directory or use something from the Linux world.

But this article was written for those who have decided to suffer on their own for now, without using modern software solutions. I will try to explain at least how to correctly implement the differentiation of rights.

Before we begin, I would like to cover a couple of points:

  • Any operating system "recognizes" and "distinguishes" real people through their accounts. It should be like this: one person = one account.
  • The article describes the situation that the company does not have its own admin and has not purchased, for example, MS Windows Server. Any regular MS Windows simultaneously serves no more than 10 people for WinXP and 20 people for Win7 over the network. This was done by Microsoft specifically to Windows client didn't cross the road Windows servers and you didn't spoil it Microsoft business. Remember the number 10-20 and when your company has more than 10-20 people, you will have to think about buying MS Windows Server or ask someone to raise it for you free Linux Samba server, which does not have such restrictions.
  • Since you do not have a competent administrator, then your ordinary computer with client MS Windows will pretend to be file server. You will be forced to duplicate user accounts on it from other computers in order to access the shared files. In other words, if there is an accountant Olya in PC1 with an olya account, then on this “server” (hereinafter referred to as WinServer) you need to create an olya account with the same password as on PC1.
  • People come and go. Staff turnover is everywhere, and if you are the poor person who is not an administrator and is assigned (forced) to support the company’s IT issues, then here is some advice for you. Create accounts that are not tied to a person. Create for managers - manager1, manager2. For accountants - buh1, buh2. Or something like that. Has the person left? Someone else won't be offended if they use manager1. Agree, this is better than Semyon using the olya account, since it’s broken or there’s no one to redo it and everything has been working for 100 years.
  • Forget words like: “make a password for the folder.” The days when passwords were imposed on resources are long gone. The philosophy of working with various resources has changed. Now the user logs into his system using an account (identification), confirming himself with his password (authentication) and is given access to all authorized resources. Login once and have access to everything - that's what you need to remember.
  • It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

Preparation.

In Explorer, remove simplified access to the things we need.

  • MS Windows XP. Menu Tools - Folder Options - View. Uncheck Use the Sharing Wizard
  • MS Windows 7. Press Alt. Menu Tools - Folder Options - View. Uncheck Use simple general access to files.

Create a folder on your WinServer computer that will store your wealth in the form of files of orders, contracts, and so on. For me, as an example, it will be C:\dostup\. The folder must be created on a partition with NTFS.

Network access.

On at this stage need to make available over the network(share) a folder for other users to work with on their computers local network.

And most importantly! Share the folder with full resolution for everyone! Yes yes! You heard right. But what about access control?

We allow everyone to connect to the folder via the local network, BUT we will limit access using security measures stored in the file NTFS system, where our catalog is located.

  • MS Windows XP. On the desired folder (C:\dostup\) right-click and select Properties. Access tab - Full access .
  • MS Windows 7. On the desired folder (C:\dostup\) right-click and select Properties. Access tab - Advanced settings. Put a tick Share this folder. Fill out the Note. Click Permission. The Everyone group must have network rights Full access.

Users and security groups.

You need to create the necessary user accounts. I remind you that if on numerous of your personal computers different user accounts are used, then they all must be created on your “server” and with the same passwords. This can only be avoided if you have a competent administrator and computers in Active Directory. No? Then carefully create your accounts.

  • MS Windows XP.
    Local users and groups - Users. Action menu - New user.
  • MS Windows 7. Control Panel - Administration - Computer Management.
    Local users and groups - Users. Menu Action - Create user.

Now it's time for the most important thing - the groups! Groups allow you to include user accounts and simplify manipulations with the issuance of rights and access control.

The “imposition of rights” on directories and files will be explained below, but for now the main thing is to understand one idea. Rights to folders or files will be granted to groups, which can be figuratively compared to containers. And groups will already “transfer” rights to the accounts included in them. That is, you need to think at the level of groups, and not at the level of individual accounts.

  • MS Windows XP. Control Panel - Administration - Computer Management.
  • MS Windows 7. Control Panel - Administration - Computer Management.
    Local users and groups - Groups. Menu Action - Create group.

Needs to be included in necessary groups the required accounts. For example, on the Accountants group, right-click and there Add to group or Properties and there the Add button. In the field Enter the names of the selected objects enter the name of the required account and click Check names. If everything is correct, the account will change to the form SERVER NAME\account_entry. In the picture above, the buh3 account has been mapped to WINSERVER\buh3.

So, the necessary groups have been created and user accounts are included in the necessary groups. But before the stage of assigning rights to folders and files using groups, I would like to discuss a couple of points.

Is it worth bothering with a group if there is only one account in it? I think it's worth it! The group gives flexibility and maneuverability. Tomorrow you will need to give another person B the same rights as to a certain person with his account A. You simply add account B to the group where A already exists and that’s it!

It is much easier when access rights are granted to groups rather than to individuals. All you have to do is manipulate the groups and include the necessary accounts in them.

Access rights.

It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

So we’ve reached the stage where the magic of delineating access rights for different groups, and through them, users (more precisely, their accounts) actually happens.

So, we have a directory at C:\dostup\, which we have already made available to all employees over the network. Inside the C:\dostup\ directory, for the sake of example, we will create the folders Contracts, Orders, MC Accounting. Let's assume that there is a task to do:

  • the Agreement folder must be read-only for Accountants. Read and write for a group of Managers.
  • The AccountingMC folder must be accessible to Accountants for reading and writing. The Managers group does not have access.
  • the Orders folder should be read-only for Accountants and Managers.

On the Agreement folder, right-click and there Properties - Security tab. We see that some groups and users already have access to it. These rights were inherited from the parent dostup\, and that in turn from its parent C:

We will interrupt this inheritance of rights and assign our own desired rights.

Click the Advanced button - Permissions tab - button Change permissions.

First, we interrupt the inheritance of rights from the parent. Uncheck the box Add permissions that are inherited from parent objects. We will be warned that permissions from the parent will not apply to this object(V in this case this is the Agreement folder). Select: Cancel or Delete or Add. Click Add and the rights from the parent will remain our inheritance, but the rights of the parent will no longer apply to us. In other words, if in the future the access rights of the parent (the dostup folder) are changed, this will not affect the child folder of the Agreement. Note in the box Inherited from costs not inherited. That is the connection parent - child torn.

Now carefully remove extra rights, leaving Full access for Administrators and System. We select in turn all sorts of Verified and just Users and delete it with the Delete button.

Add button in this window Additional options security is intended for experienced administrators who will be able to set special, special permissions. The article is aimed at the knowledge of an experienced user.

We tick Replace all permissions child object on permissions inherited from this object and click OK. Let's go back and again Ok to go back to simple view Properties.

This window will make it easier to achieve what you want. The Edit button will display the Group Permissions window.

Click Add. In the new window, write Accountants and click “Check names” - OK. By default, “read” access is given in a simplified form. The checkboxes in the Allow column are automatically set to “Read and Execute”, “List folder contents”, “Reading”. We are happy with this and click OK.

Now according to us technical specifications You need to give read and write permissions to the Managers group. If we are in the Properties window, then again Change - Add - enter Managers - Check names. Add the Change and Write checkboxes in the Allow column.

Now we need to check everything!

Follow the thought. We have ordered that the Treaty folder does not inherit rights from its parent dostup. Ordered child folders and files inside the Agreement folder to inherit rights from it.

We have imposed the following access rights on the Agreement folder: the Accountants group should only read files and open folders inside, and the Managers group should create, modify files and create folders.

Therefore, if a document file is created inside the Agreement directory, it will have permissions from its parent. Users with their own accounts will have access to such files and directories through their groups.

Go to the Agreements folder and create a test file agreement1.txt

On it, right-click and there Properties - Security tab - Advanced - Effective permissions tab.

Click Select and write the account of any accountant, for example buh1. We can clearly see that buh1 has received rights from his Accountants group, which has read rights to the parent Agreement folder, which “extends” its permissions to its child objects.

Let's try manager2 and see clearly that the manager gets read and write access, since he is a member of the Managers group, which gives such rights for this folder.

In exactly the same way, by analogy with the Agreement folder, access rights are imposed for other folders, following your technical specifications.

Bottom line.

  • Use NTFS partitions.
  • When you restrict access to folders (and files), manipulate groups.
  • Create accounts for each user. 1 person = 1 account.
  • Include accounts in groups. The account can be logged in simultaneously different groups. If an account is in several groups and one group allows something, then it will be allowed for the account.
  • The Deny column (denying rights) takes precedence over Allow. If an account is in several groups and one group prohibits something, and another group allows it, then it will be prohibited for the account.
  • Remove an account from the group if you want to deprive access that this group gives.
  • Think about hiring an admin and don’t offend him with money.

Ask questions in the comments and ask, correct.

The video shows special case, when you just need to deny access to a folder, taking advantage of the fact that denying rules take precedence over allowing rules.

imbasoft April 21, 2016 at 00:04

Standard for managing access rights to corporate files information resources

  • Information security


What could be simpler than to differentiate the rights to a folder in NTFS? But this simple task can turn into a real nightmare when there are hundreds, if not thousands, of similar folders, and changing the rights to one folder “breaks” the rights to others. To work effectively in similar conditions, a certain agreement or standard is required that would describe how to solve such problems. In this article we will look at one of the options for such a standard.

Scope

The standard for managing access rights to corporate file information resources (hereinafter referred to as the Standard) regulates the processes of providing access to file information resources located on computers running under the control of operating systems families Microsoft Windows. The standard applies to cases where, as file system NTFS is used, and SMB/CIFS is used as a network protocol for file sharing.

Terms and definitions

Information resource– a named set of data to which methods and means of ensuring are applied information security(for example, access control).
File information resource– a collection of files and folders stored in a file system directory (called the root directory of a file information resource), access to which is limited.
Composite file information resource– this is a file information resource containing one or more nested file information resources that differ from the given resource in access rights.
Nested file information resource is a file information resource included in a composite information resource.
Entry point to a file information resource– the file system directory to which the network access(shared folder) and which is used to provide access to a file information resource. This directory usually coincides with the root directory of the file information resource, but it can also be higher.
Intermediate directory– the file system directory located on the path from the entry point to the file information resource to root directory file information resource. If the entry point to a file information resource is a parent directory to the root directory of the file information resource, then it will also be an intermediate directory.
User access group– a local or domain security group that ultimately contains user accounts endowed with one of the options for access rights to a file information resource.

Basic principles

  1. Access is limited only at the directory level. Restricting access to separate files is not carried out.
  2. Access rights are assigned based on security groups. Access rights are not assigned to individual user accounts.
  3. Explicit deny permissions do not apply.
  4. Access rights are differentiated only at the file system level. At the level network protocols SMB/CIFS rights are not differentiated (Group “Everyone” – permissions “Read/Write” / Everyone – Change).
  5. When setting up network access to a file information resource, the “Access based enumeration” option is set in the SMB/CIFS settings.
  6. Creating file information resources on user workstations is unacceptable.
  7. It is not recommended to place file information resources on system partitions servers.
  8. It is not recommended to create multiple entry points into a file information resource.
  9. The creation of nested file information resources should be avoided whenever possible, and in cases where file or directory names contain confidential information, this is completely unacceptable

Access control model

User access to a file information resource is provided by granting them one of the authority options:
  • Read-only access ( R ead O nly)".
  • Read/Write access ( R ead & W rite)".
In the vast majority of access control tasks, such access permission options will be sufficient, but if necessary, it is possible to create new permission options, for example, “Read & Write without Remove.” For implementations new powers It will be necessary to clarify paragraph B.3 of Table 1, otherwise the application of the Standard will remain unchanged.

Rules for naming user access groups

User access group names are formed using the following template:

FILE - Name of file information resource - abbreviation of authority

File information resource name
must match the UNC name of the resource or consist of the server name and local path (if network access to the resource is not provided). If necessary, abbreviations are allowed in this field. The characters "\\" are omitted, and "\" and ":" are replaced with "-".

Authority abbreviations:

  • RO - for the “Read Only” access option
  • RW - for the “Read & Write” access option.
Example 1
The access group name for users who have Read Only permissions for a file information resource with the UNC name \\FILESRV\Report will be:
FILE-FILESRV-Report-RO

Example 2
The name of the access group of users who have “Read and Write” permissions for the file information resource located on the TERMSRV server along the path D:\UsersData will be:
FILE-TERMSRV-D-UsersData-RW

Template of access rights to directories of a file information resource

Table 1– Template of NTFS access rights for the root directory of a file information resource.

Subjects Rights Inheritance mode
disabled
A) Mandatory rights
Special account:
"SYSTEM"
Full access


"Administrators"
Full access
For this folder, subfolders and files
B.1) Permissions “Read only ( R ead O nly)"
User access group:
"FILE-ResourceName-RO"
Basic rights:
a) reading and execution (read & execute);
b) list folder contents;
c) reading (read);
For this folder, subfolders and files
B.2) Permissions “Read and write ( R ead & W rite)"
User access group:
"FILE-ResourceName-RW"
Basic rights:
a) change (modify);
b) reading and execution (read & execute);
c) list folder contents;
d) reading (read);
e) record (write);
For this folder, subfolders and files
B.3) Other powers, if any
User access group:
"FILE-Resource Name-Permission Abbreviation"
According to authority
For this folder, subfolders and files

Table 2– Template of NTFS access rights for intermediate directories of a file information resource.
Subjects
 Rights
 Inheritance mode
Inheriting access rights from parent directories included, but if this directory is superior to file information resources and is not included in any other file information resource, then inheritance disabled
A) Mandatory rights
Special account:
"SYSTEM"
Full access
For this folder, subfolders and files
Local Security Group:
"Administrators"
Full access
For this folder, subfolders and files
B.1) Authority “Pass through the directory (TRAVERSE
Access groups of information resource users for which this directory is an intermediate directory
Additional security options:
a) travers folder / execute files;
b) folder contents / read data (list folder / read data);
c) reading attributes;
c) reading extended attributes;
d) read permissions;
This folder only

Business processes for managing access to file information resources

A. Creating a file information resource
When creating a file information resource, the following actions are performed:
  1. User access groups are created. If the server hosting the file information resource is a member of a domain, then domain groups are created. If not, then the groups are created locally on the server.
  2. Access rights are assigned to the root directory and intermediate directories of a file information resource according to access rights templates.
  3. User accounts are added to user access groups according to their permissions.
  4. If necessary, a network folder(shared folder).
B. Providing the user with access to a file information resource
The user account is placed in the appropriate user access group based on its permissions.

B. Changing user access to a file information resource
The user account is moved to a different user access group based on the permissions specified.

D. Blocking user access to a file information resource
The user account is removed from the file information resource user access groups. If an employee leaves, group membership does not change, but the entire account is blocked.

D1. Create a nested file information resource. Expanding access
This task occurs when it is necessary to provide access to a certain directory of a file information resource additional group persons (expand access). In this case, the following activities are carried out:

  1. Access groups of users of the higher composite file information resource are added to the access groups of users of a nested file information resource.
D2. Create a nested file information resource. Narrowing of access
This task arises when it is necessary to restrict access to a certain directory of a file information resource and provide it only limited group persons:
  1. The attached file information resource is registered (according to process A)
  2. The user access groups of the created information resource contain those user accounts that need to be granted access.
E. Changing the model for providing access to a file information resource
In cases where to standard options“Read only” or “Read & Write” permissions need to add new types of permissions, for example, “Read & Write without Remove” performs the following actions:
  1. Organizational (or technical, but not related to changing access rights to file system directories) measures block user access to this and all embedded file information resources.
  2. New access rights are assigned to the root directory of the file information resource, and the access rights for all child objects are replaced (legacy is activated).
  3. Access rights for all embedded information resources are reconfigured.
  4. Intermediate directories are configured for this and nested information resources.

Examples

Let's consider the application this standard using the example of a hypothetical organization "InfoCryptoService" LLC, where a server named "FILESRV" is allocated for centralized storage of file information resources. The server runs under operating control Microsoft systems Windows Server 2008 R2 and is a member domain Active Directory with FQDN name "domain.ics" and NetBIOS name "ICS".

Preparing the file server
On the “D:” drive of the “FILESRV” server, create the “D:\SHARE\” directory. This directory will be a single entry point to all file information resources hosted on this server. We organize network access to this folder (use the “Share and Storage Management” applet):


Creating a file information resource
Statement of the problem.
Let the organization InfoCryptoService LLC have an Information Systems Development Department consisting of: Head of Department Sergei Leonidovich Ivanov ( [email protected]), specialist Markin Lev Borisovich ( [email protected]), and for them you need to organize a file information resource for storing department data. Both workers require read and write access to this resource.

Solution.
In the “D:\SHARE\” directory of the “FILESRV” server, we will create the folder “D:\SHARE\Information Systems Development Department\”, which will be the root directory for the file information resource. We will also create user access groups (global domain security groups “ICS”) for this resource:

  • "FILE-FILESRV-SHARE-Dep. resolution IS-RO"
  • "FILE-FILESRV-SHARE-Dep. resolution IS-RW"
Let’s set up access rights for the directory “D:\SHARE\Information Systems Development Department\”:



ICS\FILE-FILESRV-SHARE-Dept. resolution IS-RO:(OI)(CI)R


The D:\SHARE\ directory is the entry point and staging directory for this resource. Let’s add Traverse rights for groups to it: “FILE-FILESRV-SHARE-Dep. resolution IS-RO" and "FILE-FILESRV-SHARE-Dep. resolution IS-RW"


Dump of NTFS permissions obtained by the cacls command:


NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F

Since users require read and write access, let's add their accounts to the group “FILE-FILESRV-SHARE-Dep. resolution IS-RW"

Providing user access to a file information resource
Statement of the problem.
Suppose another employee was hired into the development department - specialist Mikhail Vladimirovich Egorov ( [email protected]), and he, like other department employees, requires read and write access to the department’s file information resource.

Solution.
The employee account must be added to the group “FILE-FILESRV-SHARE-Dept. resolution IS-RW"

Creating a nested information resource. Expanding access
Statement of the problem.
Let’s assume that the Information Systems Development Department decided to improve the quality of interaction with the Marketing Department and provide it to the head of the latter, Natalya Evgenievna Kruglikova ( [email protected]) - read access to current product documentation stored in the “Documentation” folder of the file information resource of the Information Systems Development Department.

Solution.
To solve this problem, it is necessary to create a nested resource “\\FILESRV\share\Information systems development department\Documentation”, to which all users who had access to “\\FILESRV\share\Department” should have (remain) access to read and write development of information systems\ and add read access for the user Natalya Evgenievna Kruglikova ( [email protected])

In the directory “D:\SHARE\Information Systems Development Department\” we will create a folder “D:\SHARE\Information Systems Development Department\Documentation”, which will be the root directory for the new resource. We will also create two user access groups:

  • "FILE-FILESRV-SHARE-Dep. resolution IS-Documentation-RO"
  • "FILE-FILESRV-SHARE-Dep. resolution IS-Documentation-RW"
Let’s set up access rights to the folder “D:\SHARE\Information Systems Development Department\Documentation” as follows:


Dump of NTFS permissions obtained by the cacls command:

BUILTIN\Administrators:(OI)(CI)F
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Documentation-RO:(OI)(CI)R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Documentation-RW:(OI)(CI)C

Since all users who have access to “\\FILESRV\share\Information Systems Development Department\” need similar access to \\FILESRV\share\Information Systems Development Department\Documentation”, we will add the group “FILE-FILESRV-SHARE-Department . resolution IS-RO" in "FILE-FILESRV-SHARE-Dep. resolution IS-Documentation-RO" and "FILE-FILESRV-SHARE-Dep. resolution IS-RW" in "FILE-FILESRV-SHARE-Dep. resolution IS-Documentation-RW" respectively. Let's add account Kruglikova Natalia Evgenievna ( [email protected]) to the group “FILE-FILESRV-SHARE-Dep. resolution IS-Documentation-RW"

Now, if Natalya Evgenievna Kruglikova ( [email protected]) accesses the link “\\FILESRV\share\Information Systems Development Department\Documentation”, then she will be able to get to the folder she is interested in, but access full path It’s not always convenient, so let’s set up a pass-through to this package from the entry point “\\FILESRV\share\” (“D:\SHARE\”). To do this, we will configure access rights to the intermediate directories “D:\SHARE\” and “D:\SHARE\Information Systems Development Department\”.

Let’s configure “D:\SHARE\”:


Dump of NTFS permissions obtained by the cacls command:
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-RO:R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-RW:R


NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F

And “D:\SHARE\Information Systems Development Department”:


Dump of NTFS permissions obtained by the cacls command:

ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Documentation-RW:R

ICS\FILE-FILESRV-SHARE-Dept. resolution IS-RW:(OI)(CI)C
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F

Creating a nested information resource. Narrowing of access
Statement of the problem
For organizational purposes backup developments of the Information Systems Development Department to the head of the department, Sergei Leonidovich Ivanov ( [email protected]), as part of the department’s file information resource, a network folder “Archive” was needed, to which only he would have access.

Solution.
To solve this problem, in the file information resource of the department, you need to create a nested resource “Archive” (“\\FILESRV\share\Information Systems Development Department\Archive”), access to which should be granted only to the head of the department.

In the directory “D:\SHARE\Information Systems Development Department\” we will create a folder “D:\SHARE\Information Systems Development Department\Archive”, which will be the root directory for the new resource. We will also create two user access groups:

  • "FILE-FILESRV-SHARE-Dep. resolution IS-Archive-RO"
  • "FILE-FILESRV-SHARE-Dep. resolution IS-Archive-RW"
Let’s configure access rights to the directories “D:\SHARE\Information Systems Development Department\Archive”:


Dump of NTFS permissions obtained by the cacls command:
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Archive-RO:(OI)(CI)R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Archive-RW:(OI)(CI)C

"D:\SHARE\Information Systems Development Department"


Dump of NTFS permissions obtained by the cacls command:
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Documentation-RO:R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Documentation-RW:R


ICS\FILE-FILESRV-SHARE-Dept. resolution IS-RO:(OI)(CI)R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-RW:(OI)(CI)C
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F

And "D:\SHARE\":


Dump of NTFS permissions obtained by the cacls command:
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-RO:R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-RW:R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Documentation-RO:R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Documentation-RW:R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Archive-RO:R
ICS\FILE-FILESRV-SHARE-Dept. resolution IS-Archive-RW:R
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F

User account of Sergei Leonidovich Ivanov ( [email protected]) add to the FILE-FILESRV-Department group. times.IS-Archive-RW.

Requirements for knowledge and skills

The student must know:

  • access control methods;

  • access control methods provided for in the governing documents of the State Technical Commission.

The student must be able to:

  • use access control methods.

Key term

Key term: Access control methods.

When delineating access, the powers (set of rights) of the subject are established for subsequent control of the authorized use of information system objects.

Minor terms

  • Access control methods.

  • Mandatory and discrete access control.

Structural diagram of terms

4.3.1 Access control methods

After identification and authentication are completed, the security subsystem establishes the powers (set of rights) of the subject for subsequent control of the authorized use of information system objects.

Usually the powers of the subject are represented: list of resources, accessible to the user and access rights to each resource from the list.

The following access control methods exist:

  1. access control based on lists;

  2. use of an empowerment matrix;

  3. access control by privacy levels and categories;

  4. password access control.

When restricting access by lists, correspondence is specified: for each user - a list of resources and access rights to them, or for each resource - a list of users and their access rights to a given resource

Lists allow you to set rights down to the user. It is not difficult to add rights or explicitly deny access here. Lists are used in the security subsystems of operating systems and database management systems.

An example (Windows 2000 operating system) of access control using lists for one object is shown in Figure 1.

The use of an authorization matrix implies the use of an access matrix (authority table). In the specified matrix, the rows are the identifiers of subjects who have access to the information system, and the columns are the objects (resources) of the information system. Each matrix element can contain the name and size of the resource provided, access rights (read, write, etc.), a link to another information structure, specifying access rights, a link to the program that manages access rights, etc.

Figure 1

This method provides a more unified and convenient approach, because all information about permissions is stored in the form of a single table, and not in the form of different types of lists. The disadvantages of the matrix are its possible bulkiness and non-optimality (most cells are empty).

A fragment of the authorization matrix is ​​shown in Table 1.

Table 1

Subject

Drive c:\

Filedprog.exe

Printer

User 1

Reading

Record

Removal

Execution

Removal

Seal

Setting options

User 2

Reading

Execution

Seal

9:00 to 17:00

User 3

Reading

Record

Execution

Seal

from 17:00 to 9:00

Access differentiation by privacy levels and categories consists of dividing information system resources by privacy levels and categories.

When distinguishing by level of secrecy, several levels are distinguished, for example: general access, confidential, secret, top secret. The permissions of each user are set in accordance with the maximum level of privacy to which he is admitted. The user has access to all data that has a privacy level no higher than that assigned to him; for example, a user who has access to “secret” data also has access to “confidential” and “public access” data.

When distinguishing by category, the rank of the user category is set and controlled. Accordingly, all resources of the information system are divided into levels of importance, with a category of users corresponding to a certain level. As an example where user categories are used, we give the operating Windows system 2000, whose security subsystem by default supports the following categories (groups) of users: “administrator”, “ advanced user", "user" and "guest". Each category has a specific set of rights. The use of user categories allows you to simplify the procedures for assigning user rights by using group policies security.

Password separation obviously represents the use of methods for subjects to access objects using a password. All methods of password protection are used. Obviously, the constant use of passwords creates inconvenience for users and time delays. Therefore, these methods are used in exceptional situations.

In practice, they usually combine various access control methods. For example, the first three methods are strengthened with password protection.

Differentiation of access rights is a mandatory element of a secure information system. Let us recall that the following concepts were introduced in the “Orange Book of the USA”:

— random access control;

— forced access control.

4.3.2 Mandatory and discrete access control

GOST R 50739-95 “and the documents of the State Technical Commission of the Russian Federation define two types (principles) of access control:

  • discrete access control;

  • mandatory access control.

Discrete control access is the differentiation of access between named subjects and named objects. An entity with a certain access right can transfer this right to any other entity. This type is organized based on the methods of delimitation by lists or using a matrix.

- based on a comparison of confidentiality labels of information contained in objects (files, folders, pictures) and the subject’s official permission (admission) to information of the appropriate level of confidentiality.

Upon closer examination, you will notice that discrete access control is nothing more than random access control (according to the US Orange Book), and mandatory control implements forced access control.

Conclusions on the topic

  1. The determination of the powers (set of rights) of the subject for subsequent control of his authorized use of information system objects is carried out after the identification and authentication of the security subsystem.

  2. The following access control methods exist:

  • access control based on lists;

  • use of an empowerment matrix;

  • access control by privacy levels and categories;

  • password access control.

  1. When restricting access by lists, correspondences are specified: for each user - a list of resources and access rights to them, or for each resource - a list of users and their access rights to a given resource.

  2. The use of an authorization matrix implies the use of an access matrix (authority table). In the specified matrix, the rows are the identifiers of subjects who have access to the information system, and the columns are the objects (resources) of the information system.

    3. When distinguishing by level of secrecy, several levels are distinguished, for example: general access, confidential, secret, top secret. The permissions of each user are set in accordance with the maximum privacy level to which he is admitted. The user has access to all data that has a privacy level no higher than that assigned to him.

  3. Password differentiation is based on the use of a password for subjects to access objects.

  4. In GOST R 50739-95 " Computer facilities. Protection against unauthorized access to information" and in the documents of the State Technical Commission of the Russian Federation, two types (principles) of access control are defined: discrete access control and mandatory access control.

  5. Discrete control access is the differentiation of access between named subjects and named objects.

  6. Mandatory access control- based on a comparison of confidentiality labels of information contained in objects (files, folders, pictures) and the subject’s official permission (admission) to information of the appropriate level of confidentiality.

Goal: mastering the techniques of exchanging files between users of a local computer network. Theoretical information about laboratory work Main devices for fast transfer information on long distances currently are telegraph, radio, telephone, television transmitter, telecommunications networks based computing systems. The transfer of information between computers has existed since the emergence of computers. It allows you to organize working together separate computers, solve one problem using several computers, share resources and solve many other problems. Under computer network understand the complex hardware and software, designed for information exchange and user access to common resources networks. The main purpose of computer networks is to provide sharing users to information (databases, documents, etc.) and resources ( hard drives, printers, CD-ROM drives, modems, access to the global network, etc.). Network subscribers– objects that generate or consume information. Network subscribers can be individual computers, industrial robots, CNC machines (numerical numerical control machines) program controlled), etc. Any network subscriber is connected to the station. Station- equipment that performs functions related to transmitting and receiving information. To organize interaction between subscribers and stations, a physical transmission medium is required. Physical transmission medium– communication lines or space in which they propagate electrical signals, and data transmission equipment. One of the main characteristics of communication lines or channels is the data transfer rate ( throughput). Data transfer rate– the number of bits of information transmitted per unit of time. Typically, data transfer rates are measured in bits per second (bps) and in multiples of Kbps and Mbps. Relationships between units of measurement: 1 Kbit/s = 1024 bit/s; 1 Mbit/s =1024 Kbit/s; 1 Gbit/s =1024 Mbit/s. A communication network is built on the basis of the physical transmission medium. Thus, a computer network is a collection of subscriber systems and communication network. Types of networks. According to the type of computers used, there are homogeneous And heterogeneous networks. Heterogeneous networks contain software-incompatible computers. Based on territorial characteristics, networks are divided into local And global. Basic communication network components:
  • transmitter;
  • receiver;
  • messages (digital data of a certain format: database file, table, response to a request, text or image);
  • transmission media (physical transmission medium and special equipment that ensures the transmission of information).
  • Topology of local networks. The topology of a computer network is usually understood as physical location computers on the network relative to each other and the way they are connected by lines.
  • The topology determines the equipment requirements, the type of cable used, communication control methods, operational reliability, and the possibility of network expansion. There are three main types of network topologies: bus, star and ring.
A bus in which all computers are connected in parallel to one communication line, and information from each computer is simultaneously transmitted to all other computers. According to this topology, a peer-to-peer network is created. With such a connection, computers can transmit information only one at a time, since there is only one communication line.
Local networks(LAN, Local Area Network) connect subscribers located within a small area, usually no more than 2–2.5 km. Local computer networks will allow organizing the work of individual enterprises and institutions, including educational ones, and solving the problem of organizing access to common technical and information resources. Global networks(WAN, Wide Area Network) connect subscribers located at considerable distances from each other: in different areas of the city, in different cities, countries, on different continents (for example, the Internet). Interaction between subscribers of such a network can be carried out on the basis telephone lines communications, radio communications and systems satellite communications. Global computer networks will solve the problem of uniting the information resources of all humanity and organizing access to these resources.

Advantages:


  • ease of adding new nodes to the network (this is possible even while the network is running);

  • the network continues to function even if individual computers are out of order;

  • inexpensive network equipment due to the widespread use of this topology.

Flaws:


  • complexity network equipment;

  • difficulty diagnosing network equipment malfunctions due to the fact that all adapters are connected in parallel;

  • a cable break leads to the failure of the entire network;

  • limitation on maximum length communication lines due to the fact that signals are weakened during transmission and cannot be restored in any way.

Star (star), in which other peripheral computers are connected to one central computer, each of them using its own separate communication line. All information exchange occurs exclusively through a central computer, which bears a great deal of responsibility. heavy load, so it is intended for network maintenance only.

Advantages:


  • failure of a peripheral computer does not in any way affect the functioning of the rest of the network;

  • simplicity of the network equipment used;

  • all connection points are collected in one place, which makes it easy to control the operation of the network, localize network faults by disconnecting certain parts from the center peripheral devices;

  • there is no signal attenuation.

Flaws:

Ring, in which each computer always transmits information to only one computer next in the chain, and receives information only from the previous computer in the chain, and this chain is closed. The peculiarity of the ring is that each computer restores the signal coming to it, so the attenuation of the signal throughout the ring does not matter, only the attenuation between neighboring computers is important.

Advantages:


  • it’s easy to connect new nodes, although this requires pausing the network;

  • a large number of nodes that can be connected to the network (more than 1000);

  • high resistance to overloads.

Flaws:


  • the failure of at least one computer disrupts the operation of the network;

  • A cable break in at least one place disrupts the operation of the network.

In some cases, when designing a network, a combined topology is used. For example, a tree is a combination of several stars.

Every computer that operates on a local network must have a network adapter ( network card). Function network adapter is the transmission and reception of signals distributed through communication cables. In addition, the computer must be equipped with a network operating system.

When constructing networks, the following types of cables are used:

unshielded twisted pair. Maximum distance, on which computers connected by this cable can be located, reaches 90 m. Information transmission speed - from 10 to 155 Mbit/s; shielded twisted pair. Information transfer speed is 16 Mbit/s over a distance of up to 300 m.

coaxial cable. It is characterized by higher mechanical strength, noise immunity and allows you to transmit information over a distance of up to 2000 m at a speed of 2-44 Mbit/s;

fiber optic cable. An ideal transmission medium, it is not affected by electromagnetic fields, allows you to transmit information over a distance of up to 10,000 m at a speed of up to 10 Gbit/s.

The concept of global networks. Global network – these are associations of computers located on remote distance, For general use world information resources. Today there are more than 200 of them in the world. Of these, the most famous and most popular is the Internet.

Unlike local networks, wide area networks do not have any single center management. The network is based on tens and hundreds of thousands of computers connected by one or another communication channels. Each computer has a unique identifier, which allows you to “plot a route to it” for the delivery of information. Typically, a global network connects computers running on different rules(having different architecture, system software, etc.). Therefore, gateways are used to transfer information from one type of network to another.

Gateways– These are devices (computers) that serve to connect networks with completely different exchange protocols.

Exchange protocol– is a set of rules (agreement, standard) that defines the principles of data exchange between different computers online.

Protocols are conventionally divided into basic (more low level), responsible for transmitting information of any type, and applied (more high level), responsible for the functioning of specialized services.

The main computer on the network that provides access to common base data, provides sharing input/output devices and user interaction is called server.

A network computer that only uses network resources, but does not give its resources to the network, it is called client(often also called workstation ).

To work on the global network, the user must have the appropriate hardware and software.

Software can be divided into two classes:


  • server programs that are located on the network node serving the user’s computer;

  • client programs located on the user’s computer and using the services of the server.

Global networks provide users with a variety of services: e-mail, remote access to any computer on the network, searching for data and programs, and so on.

Task No. 1.


  1. Create a folder in the “My Documents” folder called Mail_1 (the number in the name corresponds to the number of your computer).

  2. Via text Word editor or WordPad, create a letter to your classmates.

  3. Save this text in the Mail_1 folder of your computer in the letter1.doc file, where 1 is the computer number.

  4. Open a folder on another computer, for example, Mail_2 and copy the file letter1 from your Mail_1 folder into it.

  5. In your Mail_1 folder, read letters from other users, for example letter2. Add your answer to them.

  6. Rename the file letter2 .doc to the file letter2_answer1.doc

  7. Move the file letter2_answer1.doc to the Mail _2 folder and delete it from your folder

  8. Next, repeat steps 2-4 for other computers.

  9. Read messages from other users in your folder and repeat steps 5-8 for them.

Task No. 2. Answer the questions and write them down in your notebook:

  1. Indicate the main purpose of a computer network.
  1. Specify an object that is a network subscriber.
  1. Indicate the main characteristics of communication channels.
  1. What is a local network, global network?
  1. What is meant by local network topology?
  1. What types of local network topology are there?
  1. Briefly describe the bus, star, and ring topologies.
  1. What is an exchange protocol?
  1. Solve the problem. Maximum speed data transfer in the local network 100 Mbit/s. How many pages of text can be transmitted in 1 second if 1 page of text contains 50 lines and each line has 70 characters

Basic Concepts

When considering information security issues, the concepts of subject and object of access are used. An access subject can perform a certain set of operations on each access object. These operations may be allowed or denied to a specific subject or group of subjects. Access to objects is usually determined at the operating system level by its architecture and current security policy. Let's consider some definitions regarding methods and means of delimiting access of subjects to objects.

Definition 1

Object access method– an operation that is defined for a given object. It is possible to restrict access to an object by restricting possible access methods.

Definition 2

Object owner– the subject who created the object is responsible for the confidentiality of the information contained in the object and for access to it.

Definition 3

Object access right– the right to access an object using one or more access methods.

Definition 4

Access control– a set of rules that determines for each subject, object and method whether or not the right to access using a specified method exists.

Access control models

The most common access control models:

  • discretionary (selective) access control model;
  • authoritative (mandatory) access control model.

Discretionary

  • any object has an owner;
  • the owner has the right to arbitrarily limit the access of subjects to this object;
  • for each set of subject – object – method, the right of access is uniquely defined;
  • the presence of at least one privileged user (for example, an administrator) who has the ability to access any object using any access method.

In the discretionary model, the definition of access rights is stored in an access matrix: the rows list the subjects, and the columns list the objects. Each matrix cell stores the access rights of a given subject to a given object. The access matrix of a modern operating system takes up tens of megabytes.

Plenipotentiary The model is characterized by the following rules:

  • Each object is classified as confidential. The secrecy rating has a numerical value: the larger it is, the higher the secrecy of the object;
  • Each access subject has a clearance level.

In this model, a subject receives access to an object only if the subject’s access level value is not less than value classification of the object as confidential.

The advantage of the authoritative model is that there is no need for storage. large volumes information about access control. Each subject stores only the value of its access level, and each object stores the value of its security classification.

Access control methods

Types of access control methods:

    Access control based on lists

    The essence of the method is to set correspondences: for each user a list of resources and access rights to them is specified, or for each resource a list of users and access rights to these resources is determined. Using lists, it is possible to establish rights down to each user. It is possible to add rights or explicitly deny access. The list access method is used in the security subsystems of operating systems and database management systems.

    Using the Authority Matrix

    When using the authorization matrix, an access matrix (authority table) is used. In the access matrix, the rows record the identifiers of subjects who have access to computer system, and in the columns - objects (resources) of the computer system.

    Each matrix cell may contain the name and size of a resource, an access right (read, write, etc.), a link to another information structure that specifies access rights, a link to a program that manages access rights, etc.

    This method is quite convenient, since all information about authorities is stored in a single table. The disadvantage of the matrix is ​​its possible cumbersomeness.

    Access control by privacy levels and categories

    The distinction according to the degree of secrecy is divided into several levels. The permissions of each user can be set in accordance with the maximum security level to which he is admitted.

    Password access control

    Password separation uses methods for subjects to access objects using a password. Constant use of passwords leads to inconvenience for users and time delays. For this reason, password separation methods are used in exceptional situations.

In practice it is common to combine different methods access restrictions. For example, the first three methods are enhanced by password protection. Using different access rights is prerequisite secure computer system.



Related publications: