Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)

Previous Topic/Section
1.0  General Security Concepts
Previous Page
Pages in Current Topic/Section
Next Page
1.1.1  Mandatory Access Control (MAC)
Next Topic/Section

1.1  Access Control

(Also see section 5.5.5)

Access Control, the first item in the AAA of security, involves the process by which you restrict access to computing resources. It is a combination of Authentication (proving who you claim to be) and Authorization (what are you allowed to see, presuming you are whom you claim you are.) Access control allows you to enforce the security principle of least privilege – that is, individuals should be assigned the minimum privilege level required to carry out their assigned tasks. Only those individuals authorized to access resources are permitted access to them. (In practice, the OS default often allows everyone access. But the theoretical reality is that access could be restricted.)

The capabilities and methods of access control are often different on different operating systems. Access Control on an AS/40045 is different than on a UNIX or NT based machine46.

The Security+ test examines three different types of Access Control, which we will cover in the next section. Before moving on to 1.1.1, we would like to point out that all three types of control have some degree of being real. That is, enforcement of access control is handled by the operating system and cannot be bypassed.

Why make this point? Any Windows 3.x/9.x/Me Operating System is DOS based, despite any claims to the contrary by the vendor in Redmond, WA. We are not knocking DOS, which is a useful stand-alone operating system for some purposes. But you do need to be aware that these operating systems offer NO security at the local machine level. Any user walking up to the machine can access any files stored on it. “But you have to login!”? No, you don’t – you can press the ESC key at the login dialog, and while you won’t have network access, you will have access to the local machine and the contents of its disks.

A degree of security can be bolted on at the network level, requiring that users provide a user ID and password known to the network before they access network resources – but this only controls access to network resources, not those on the local machine. With Office 2003, Microsoft will be encouraging pre-Windows-2000 users to upgrade, and we certainly don’t disagree from a security perspective.

Real security can be found in the Bell La-Padula47 model, among others, discussed in section 1.1.1.

Access Control

Access control involves the process and mechanisms used to restrict access to computing resources.

Access control is enforced by the OS and cannot be bypassed using legitimate OS functionality.

Within the topic of Access Control, we can look at three specific types of access control: mandatory, discretionary, and role-based.

Quick navigation to subsections and regular topics in this section





Previous Topic/Section
1.0  General Security Concepts
Previous Page
Pages in Current Topic/Section
Next Page
1.1.1  Mandatory Access Control (MAC)
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.