Discretionary Access Control

[beaner2005]

Ok Im working on security plus and it says due to the limitations of FAT or file allocation table that Discretionary access controll could not be applied for the local creation or storage of resources.

I dont get this. I guess on windows '98 that used fat 32 but on windows 95 im certain i have done a peer to peer network with it and mapped the drives and gave discretionary access control to certain files and folders.

 

[tfg13]

I'm certain that you didn't. NTFS did not come around until Windows NT.

 

[beaner2005]

maybe you dont understand what im saying, i could install windows '95 on a old system with a 2gb hard drive and use the file allocation table. and map the storage resources. havent done much networking with windows 3.1. but im sure you could as map drives and so fourth.


so i might be mis understanding what u are saying so help me learn .

 

[tfg13]

The ability to map a drive, and Discretionary Access Controls are completely different. Apples and Oranges.

Discretionary Access Controls puts control of an object into the hands of the person who creates it. For example, if Alice creates a file on a Windows server, she becomes the owner of that new file. The owner SID is tracked as part of the security descriptor that the NTFS file system maintains for the file. The owner is implicitly granted permission to read the security descriptor and change the DACL for the file. She is able to add/delete access to the file as needed (however, administrators of the system do have the ability to override those controls).

Mapped drives are hard drives, partitions or volumes, or network drives, which are always represented by names, letter(s), or number(s) and they are often followed by additional strings of data, directory tree branches, or alternate level(s) separated by a "\" symbol. Drive mapping is used to locate directories, files or objects, and applications, and is needed by the system, administrators, various other operators, and users or groups.

The mapped drives on the 98/95/3.1/ME/various boxes where not alloted the capability to utilize discretionary access controls. Even if you were to connect to a "mapped" drive from a machine that allows discretionary access controls (we'll use XP as an example) which is on a 98 machine, the ability to place discretionary access controls on a file/folder are not there, due to the allocation table didn't have those features. Let's talk about the other way. If you tried to access a file/folder on a mapped drive that is on an XP machine with a 98 machine (of course, after authentication), you still would not be able to look at DACLS from the 98 machine. If you created a file on the XP machine from the 98 machine, the file would have default permissions, and the owner is the account you used to map the drive.

Got you confused yet?

 

[beaner2005]

havent gotten to DACLS yet, so basically what you are saying is that mapping storage devices used a diffrent protocol in comparison to dicretionary access control. that was interchangable between the network. thats the way it appears. but at the same time isnt that still dicretionary access control or some lower form of it.

 

[tfg13]

First, you should explain what you mean by "protocol". In the world of Information Technology, "protocol" can mean a whole bunch of different things.

Do not allow yourself to think that mapping drives and discretionary access control have any thing to do with each other. Each is a different topic, and are only intertwined on occasion.

DACLs are nothing more than a Discretionary Access Control List.

 

[tfg13]

DAC is a security model. Yes, in later "security" minded systems, mapping of drives afforded security models, but Pre-NT systems did not.

DAC allows users to assign permissions to files/folders. Whether these files/folders are mapped doesn't matter.

Also, in earlier systems, you could map a drive, and access any files/folders. Thankfully, that is not the case anymore.

 

[tfg13]

Not to be rude or anything, but this shouldn't even be a conversation for someone who has 18 months experience, like CompTIA advises for the Security + test. Just hope you understand that this studying for the test will only get tougher. Especially the cryptography portion.

 

[beaner2005]

tfg13 (MIS)
12 Feb 09 7:31
First, you should explain what you mean by "protocol". In the world of Information Technology, "protocol" can mean a whole bunch of different things.

Do not allow yourself to think that mapping drives and discretionary access control have any thing to do with each other. Each is a different topic, and are only intertwined on occasion.

DACLs are nothing more than a Discretionary Access Control List.




hey dude sorry my quote button is missing, im assumeing from using adblock. anyway now im working on the security plus certification. and im on security concepts. which is the beginning. however the way it was explained in the book and what the book says is the major key of focus because now im being braindumped. but what the book says is that dicretionary access control is the protocol that allows a user to discretionize a folder and give it specific permissions. in other words when your in windows xp and you right click on my documents. and go to properties and click charing and then decide previledges for sharing or with newer versions of windows little more advance or like it was on older versions of windows. the actual protocol that designates that discretion is discretionary access control.

 

[tfg13]

That's not a protocol. I would more likely call it a security role/model. There really is no protocol in models/roles. That's a system design, not a protocol.

What book are you reading? Personally, I felt the best book I had was Sybex's Security +.

 

[beaner2005]

its the one from comptia, but for example wouldnt the discretionary access control be a protocol within a protocol?

file and print sharing?

 

[beaner2005]

ok now im confused because when i originally posted this it said something about DAC and FAT only being supported by 2gbs period. i guess what i was getting at is why DAC was not supported on file allocation tables prior to fat32? because if DAC is somekind of pelimnary control or security model then why was it or some of the same features implemented in earlier operating systems?

 

[tfg13]

Find a 95/98/ME box and try to apply DAC. You can't. FAT/FAT32 does not allow you to do so. However, early versions of Unix (OK, Unix has been around a long time) and Linux all were designed with security in mind, so they have had DAC forever (not to mention RBAC and MAC). IMO, Windows didn't see themselves blowing up like they did, and it was an after thought when everyone started getting online. Oops...file sharing needs to be restricted...How do we do that? Implement DAC.

My CISSP books, and my Security + book call it a model. I'm going to stick to what helped me pass the test.

What is your books definition of protocol? That might help both of us understand what you mean by "protocol".

 

[beaner2005]

but is DAC an application or is it a model like you said before.

 

[beaner2005]

just so no one gets in the last word, i thought i would just google because i dont wanna look at the book right now. it is only a concept and not an application as described by Trusted Computer System Evaluation Criteria. could be mistaken. but i dont have any versions of windows other than my own. but i know people in the past and even on macos 7.5.3 that would allow independant file sharing. I would know this because of all the stupid pranks i would pull on the network in the computer club.

 

[beaner2005]

hey i was wondering if you might know of an application that i do not have to install on every single system on my network. basically i want to log all the websites that are viewed on my systems throughout the network. I would also like to throttle the bandwith on one of the computers on the network and maintain the current bandwith on the xbox and pc. its not wireless so im not gonna girate someones router or something. but i have a linksys router and i need something to use that would help me do all this. i asked the guy at landesk and i forgot or closed chat before i could ask him because he said i would need multiple solutions. the only reason i want to monitor websites and files being downloaded from the server is to maintain some kind of i wanna know whats going on. so basically i can see what music is cool and stuff and not bother anyone. also sometimes the internet is really slow. and communication between the systems can be unstable so i was wondering what can i do the throttle down the bandwith. so that there is no other system using too much bandwith.


basically i want the xbox to manage its self

the server to also manage itself.


however i want a maximum of 100 kb down and 50 k up. on the other machine however if the entire 50 k is not used. i dont want the functionability of my xbox or my server to be downgraded. because 50 k is reserved for the third system?




i guess like a shuffleing function like a pci bus or something for the network in a sense?

 

[beaner2005]

my connection is 3mb down and 768 up