Section 14: Authentication and Authorization

Question 1

Mandatory Access Control

Answer 1

Mandatory Access Control
▪ Uses security labels to determine which users are authorized to access a resource

Complex to configure and expensive to maintain
Generally reserved for high security systems
Anything that is now explicitly allowed is denied by default

Question 2

Discretionary Access Control (DAC)

Answer 2

Discretionary Access Control (DAC)
▪ Allows the resource owner to specify which users can access each
resource

Question 3

Role-Based Access Control

Answer 3

Role-Based Access Control
▪ Allows an administrator to assign roles and permissions to access each resource

Windows Domain, Groups

Question 4

Attribute-Based Access Control

Answer 4

Attribute-Based Access Control
▪ Relies on a set of characteristics of an object to make access control
decisions
● User Attributes, username, role, group
● Environment attributes: time of access, location of data
● Resource attributes: creation date, file name, file owner

Question 5

Authentication Protocols

Answer 5

o Remote Authentication Dial-In User service (RADIUS)
▪ Cross-Platform protocol that authenticates and authorizes users to
services, and accounts for their usage

o Terminal Access Controller Access Control System Plus (TACACS+)
▪ Cisco-proprietary protocol that provides separate authorization,
authorization, and account services

o Diameter
▪ Peer-to-peer protocol created as a next-generation version of RADIUS

o The Lightweight Directory Access Protocol (LDAP)
▪ Cross-platform protocol that centralized info about clients and objects on the network

Question 6

Hardware Security Module (HSM)

Answer 6

▪Generates and stores cryptographic keys and is less susceptible to
tampering and insider threats

Question 7

Attestation

Answer 7

o Allows enterprise security personnel to determine if a change to the baseline has been made

o Attestation Integrity Key
▪ Determines the integrity of a TPM chip