studying for the security+ exam

[rasczak]

I'm a bit confused with how these versions of access control are implemented. DAC I assume is the owner of the object giving access to individuals as needed, and RBAC giving access to a userd based on their position, but how is that implemented in the case of windows? Would it be similar to creating a group in windows for HR and one for Finance? A new employee is hired on to work for HR, their user account is created and they are added to the HR group will access to the HR shares? Is taht how I am to understand RBAC? Could someone give me exmaples of how MAC and DAC are impleneted?

Thanks!
Joe

**edit**

Does anyone have a site they can recommend for practice testing? Or do i need to purchase them?

 

[Security Guy]

An example of RBAC would be assigning different roles to a profile and granting that profile to an employee based on their job duties. This is usually done in the Application layer as opposed the OS layer.

All group maintenance in Windows is still DAC. When you create an HR group in AD, there still needs to be an owner of that group granting people access at their discretion.

MAC - based on security classification level. Don't have too much experience w/ MAC administration but imagine resource is granted based on rank and a need to know basis.

 

[SagaLore]

Yea I think you understand it correctly. Remember that they're just concepts - they're not necessarily going to apply 100% to any OS. A Windows machine uses DAC on a per file/folder basis - you specify the permissions for users or groups of users. Active Directory implements RBAC in a way, since you typically set permissions based on a group, and add/remove users to the groups. For example, if you've ever managed file servers across a WAN, you would have an Accounting group for a specific share, and as employees come and go, you add/remove them to that group in AD, rather than changing the permissions directly on those shares.

I'm a little fuzzy on MAC, but it tends to have inflexible security restrictions that are designed into the foundation of whatever its implemented in. I'm not sure if AS/400 account management would be a good example but its the only thing that comes to mind.

 

[rasczak]

Thanks for clearing that up for me. If you all don't mind I may just update this thread when more questions come up.

 

[rasczak]

edited with new question in OP

 

[rasczak]

nvm, found it via the google.