Access Control Models

Access Control Models
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Access Control Models nomorespameventhoughthejapanes 08-24-2006
Posted by nomorespameventhoughthejapanes on August 24, 2006, 2:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
What are the different default and optional access control models for
the following systems:

Win NT

Win 2000 (workstation and server)

Win XP

Win 2003 Server

I read multiple reports that differ in opinion. Some say DAC for NT
and 2000 and others say MAC and then some others say RBAC.

I think that an upgrade exists to enable RBAC in NT and 2000 but that
default it is DAC.

Did Microsoft first introduce RBAC in Windows XP and 2003?

Thanks!


Posted by Steven L Umbach on August 24, 2006, 2:54 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
They all use discretionary access control. The owner of the object can set
permissions which by default is the creator of the object.

Steve



"nomorespameventhoughthejapanesespamgivesmeachuckle"
> What are the different default and optional access control models for
> the following systems:
>
> Win NT
>
> Win 2000 (workstation and server)
>
> Win XP
>
> Win 2003 Server
>
> I read multiple reports that differ in opinion. Some say DAC for NT
> and 2000 and others say MAC and then some others say RBAC.
>
> I think that an upgrade exists to enable RBAC in NT and 2000 but that
> default it is DAC.
>
> Did Microsoft first introduce RBAC in Windows XP and 2003?
>
> Thanks!
>



Posted by nomorespameventhoughthejapanes on August 24, 2006, 3:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

Steven L Umbach wrote:
> They all use discretionary access control. The owner of the object can set
> permissions which by default is the creator of the object.
>
> Steve
>
>
>
> "nomorespameventhoughthejapanesespamgivesmeachuckle"
> > What are the different default and optional access control models for
> > the following systems:
> >
> > Win NT
> >
> > Win 2000 (workstation and server)
> >
> > Win XP
> >
> > Win 2003 Server
> >
> > I read multiple reports that differ in opinion. Some say DAC for NT
> > and 2000 and others say MAC and then some others say RBAC.
> >
> > I think that an upgrade exists to enable RBAC in NT and 2000 but that
> > default it is DAC.
> >
> > Did Microsoft first introduce RBAC in Windows XP and 2003?
> >
> > Thanks!
> >

Gotcha... Take Windows XP and 2003 for example... are these hybrid DAC
and RBAC? With AD the admin can include users in roles like "backup
operator" and assign those roles certain permissions.


Posted by Steven L Umbach on August 24, 2006, 3:23 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
What you refer to are privileged groups that have been around since the
first version of NT [nothing new here] and could be considered roles. But by
definition DAC allows the owner of the object to set permissions on the
object and that is the case on any NT based Windows operating system. If Joe
Blow has sensitive data on his computer because of DAC he can give ANY
user/group including everyone access to that data regardless of the users
job role.

Steve


"nomorespameventhoughthejapanesespamgivesmeachuckle"
>
> Steven L Umbach wrote:
>> They all use discretionary access control. The owner of the object can
>> set
>> permissions which by default is the creator of the object.
>>
>> Steve
>>
>>
>>
>> "nomorespameventhoughthejapanesespamgivesmeachuckle"
>> > What are the different default and optional access control models for
>> > the following systems:
>> >
>> > Win NT
>> >
>> > Win 2000 (workstation and server)
>> >
>> > Win XP
>> >
>> > Win 2003 Server
>> >
>> > I read multiple reports that differ in opinion. Some say DAC for NT
>> > and 2000 and others say MAC and then some others say RBAC.
>> >
>> > I think that an upgrade exists to enable RBAC in NT and 2000 but that
>> > default it is DAC.
>> >
>> > Did Microsoft first introduce RBAC in Windows XP and 2003?
>> >
>> > Thanks!
>> >
>
> Gotcha... Take Windows XP and 2003 for example... are these hybrid DAC
> and RBAC? With AD the admin can include users in roles like "backup
> operator" and assign those roles certain permissions.
>



Posted by nomorespameventhoughthejapanes on August 24, 2006, 5:46 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

Steven L Umbach wrote:
> What you refer to are privileged groups that have been around since the
> first version of NT [nothing new here] and could be considered roles. But by
> definition DAC allows the owner of the object to set permissions on the
> object and that is the case on any NT based Windows operating system. If Joe
> Blow has sensitive data on his computer because of DAC he can give ANY
> user/group including everyone access to that data regardless of the users
> job role.
>
> Steve

Thanks a lot.

Do you have in familiarity with the Authorization Manager Runtime:

Overview (from Microsoft)
The Windows 2000 Authorization Manager Runtime is a Windows 2000 Server
version of the Windows Server 2003 Authorization Manager Role-Based
Access Control (RBAC) API.
Windows Server 2003 family operating systems introduced the
Authorization Manager RBAC framework which includes the Authorization
Manager API and Role-based MMC snap-in Administration UI (Authorization
Manager Snap-in UI is only available on Windows Server 2003 family
operating systems and on the Windows Server 2003 Administration Pack
for Windows XP.)
The Authorization Manager API provides a simplified development model
in which to manage flexible groups and business rules and store
authorization policies.
Storage in Active Directory requires the domain to be at Windows Server
2003 functional level.
Using the Windows 2000 Authorization Manager Runtime you can build
server applications to use the Authorization Manager Role-based access
control model that run on Windows 2000 Server family operation systems.

Will using this totally negate DAC? Is there any way to not use DAC
within a Windows environment using either 1st or 3rd part snap-ins?


Similar ThreadsPosted
Access Control to Drives September 24, 2005, 3:03 am
Access Control to LDAP on AD? October 14, 2005, 9:20 pm
Cut Security Costs - Access Control June 14, 2008, 1:23 am
Remote User "Quarantine" and access control May 18, 2006, 11:24 am
Parental Internet-access Control Software October 28, 2006, 1:03 pm
Parental control April 22, 2006, 2:08 am
surf control May 28, 2006, 1:09 pm
Parental control August 22, 2006, 8:05 pm
AVG (7.5) Control Center April 24, 2008, 1:24 am
Winfixer taking control of my pc January 4, 2006, 9:38 am

The site map in XML format XML site map

Contact Us | Privacy Policy