Access Control Models

Access Control Models
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Access Control Models nomorespameventhoughthejapanes 08-24-2006
Posted by Steven L Umbach on August 24, 2006, 8:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
No I am not familair with that and exactly waht it can do. One certainly
could use technologies in Windows NT operating systems to implement RBAC
tpye policies but I don't know if there is a way that will prevent DAC.
Maybe what you mention can do that and someone else familiar with it will
comment.

Steve


"nomorespameventhoughthejapanesespamgivesmeachuckle"
>
> Steven L Umbach wrote:
>> What you refer to are privileged groups that have been around since the
>> first version of NT [nothing new here] and could be considered roles. But
>> by
>> definition DAC allows the owner of the object to set permissions on the
>> object and that is the case on any NT based Windows operating system. If
>> Joe
>> Blow has sensitive data on his computer because of DAC he can give ANY
>> user/group including everyone access to that data regardless of the users
>> job role.
>>
>> Steve
>
> Thanks a lot.
>
> Do you have in familiarity with the Authorization Manager Runtime:
>
> Overview (from Microsoft)
> The Windows 2000 Authorization Manager Runtime is a Windows 2000 Server
> version of the Windows Server 2003 Authorization Manager Role-Based
> Access Control (RBAC) API.
> Windows Server 2003 family operating systems introduced the
> Authorization Manager RBAC framework which includes the Authorization
> Manager API and Role-based MMC snap-in Administration UI (Authorization
> Manager Snap-in UI is only available on Windows Server 2003 family
> operating systems and on the Windows Server 2003 Administration Pack
> for Windows XP.)
> The Authorization Manager API provides a simplified development model
> in which to manage flexible groups and business rules and store
> authorization policies.
> Storage in Active Directory requires the domain to be at Windows Server
> 2003 functional level.
> Using the Windows 2000 Authorization Manager Runtime you can build
> server applications to use the Authorization Manager Role-based access
> control model that run on Windows 2000 Server family operation systems.
>
> Will using this totally negate DAC? Is there any way to not use DAC
> within a Windows environment using either 1st or 3rd part snap-ins?
>



Posted by Roger Abell [MVP] on August 24, 2006, 8:42 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
It might be fair to think of AzMan as a snapshot of MS thinking around
W2k3 release time of how the CAS model from .Net could grow to
become a full-fledge access control. What AxMan can do is implemented
below with groups (ok, or accounts) and using these subject to the existing
DAC and CAS models.

"nomorespameventhoughthejapanesespamgivesmeachuckle"
>
> Steven L Umbach wrote:
>> What you refer to are privileged groups that have been around since the
>> first version of NT [nothing new here] and could be considered roles. But
>> by
>> definition DAC allows the owner of the object to set permissions on the
>> object and that is the case on any NT based Windows operating system. If
>> Joe
>> Blow has sensitive data on his computer because of DAC he can give ANY
>> user/group including everyone access to that data regardless of the users
>> job role.
>>
>> Steve
>
> Thanks a lot.
>
> Do you have in familiarity with the Authorization Manager Runtime:
>
> Overview (from Microsoft)
> The Windows 2000 Authorization Manager Runtime is a Windows 2000 Server
> version of the Windows Server 2003 Authorization Manager Role-Based
> Access Control (RBAC) API.
> Windows Server 2003 family operating systems introduced the
> Authorization Manager RBAC framework which includes the Authorization
> Manager API and Role-based MMC snap-in Administration UI (Authorization
> Manager Snap-in UI is only available on Windows Server 2003 family
> operating systems and on the Windows Server 2003 Administration Pack
> for Windows XP.)
> The Authorization Manager API provides a simplified development model
> in which to manage flexible groups and business rules and store
> authorization policies.
> Storage in Active Directory requires the domain to be at Windows Server
> 2003 functional level.
> Using the Windows 2000 Authorization Manager Runtime you can build
> server applications to use the Authorization Manager Role-based access
> control model that run on Windows 2000 Server family operation systems.
>
> Will using this totally negate DAC? Is there any way to not use DAC
> within a Windows environment using either 1st or 3rd part snap-ins?
>



Posted by Steven L Umbach on August 24, 2006, 9:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I am not familiar wih AzMan but thanks for the info on it and I will try to
check it out more.

Steve


> It might be fair to think of AzMan as a snapshot of MS thinking around
> W2k3 release time of how the CAS model from .Net could grow to
> become a full-fledge access control. What AxMan can do is implemented
> below with groups (ok, or accounts) and using these subject to the
> existing
> DAC and CAS models.
>
> "nomorespameventhoughthejapanesespamgivesmeachuckle"
>>
>> Steven L Umbach wrote:
>>> What you refer to are privileged groups that have been around since the
>>> first version of NT [nothing new here] and could be considered roles.
>>> But by
>>> definition DAC allows the owner of the object to set permissions on the
>>> object and that is the case on any NT based Windows operating system. If
>>> Joe
>>> Blow has sensitive data on his computer because of DAC he can give ANY
>>> user/group including everyone access to that data regardless of the
>>> users
>>> job role.
>>>
>>> Steve
>>
>> Thanks a lot.
>>
>> Do you have in familiarity with the Authorization Manager Runtime:
>>
>> Overview (from Microsoft)
>> The Windows 2000 Authorization Manager Runtime is a Windows 2000 Server
>> version of the Windows Server 2003 Authorization Manager Role-Based
>> Access Control (RBAC) API.
>> Windows Server 2003 family operating systems introduced the
>> Authorization Manager RBAC framework which includes the Authorization
>> Manager API and Role-based MMC snap-in Administration UI (Authorization
>> Manager Snap-in UI is only available on Windows Server 2003 family
>> operating systems and on the Windows Server 2003 Administration Pack
>> for Windows XP.)
>> The Authorization Manager API provides a simplified development model
>> in which to manage flexible groups and business rules and store
>> authorization policies.
>> Storage in Active Directory requires the domain to be at Windows Server
>> 2003 functional level.
>> Using the Windows 2000 Authorization Manager Runtime you can build
>> server applications to use the Authorization Manager Role-based access
>> control model that run on Windows 2000 Server family operation systems.
>>
>> Will using this totally negate DAC? Is there any way to not use DAC
>> within a Windows environment using either 1st or 3rd part snap-ins?
>>
>
>



Posted by Roger Abell [MVP] on August 24, 2006, 10:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
No problem Steve, although I was replying to OP named
nomorespameventhoughthejapanesespamgivesmeachuckle

Had I thought I was informing yourself I would have surely
approached it differently.

Cheers,
Roger

>I am not familiar wih AzMan but thanks for the info on it and I will try to
>check it out more.
>
> Steve
>
>
>> It might be fair to think of AzMan as a snapshot of MS thinking around
>> W2k3 release time of how the CAS model from .Net could grow to
>> become a full-fledge access control. What AxMan can do is implemented
>> below with groups (ok, or accounts) and using these subject to the
>> existing
>> DAC and CAS models.
>>
>> "nomorespameventhoughthejapanesespamgivesmeachuckle"
>>>
>>> Steven L Umbach wrote:
>>>> What you refer to are privileged groups that have been around since the
>>>> first version of NT [nothing new here] and could be considered roles.
>>>> But by
>>>> definition DAC allows the owner of the object to set permissions on the
>>>> object and that is the case on any NT based Windows operating system.
>>>> If Joe
>>>> Blow has sensitive data on his computer because of DAC he can give ANY
>>>> user/group including everyone access to that data regardless of the
>>>> users
>>>> job role.
>>>>
>>>> Steve
>>>
>>> Thanks a lot.
>>>
>>> Do you have in familiarity with the Authorization Manager Runtime:
>>>
>>> Overview (from Microsoft)
>>> The Windows 2000 Authorization Manager Runtime is a Windows 2000 Server
>>> version of the Windows Server 2003 Authorization Manager Role-Based
>>> Access Control (RBAC) API.
>>> Windows Server 2003 family operating systems introduced the
>>> Authorization Manager RBAC framework which includes the Authorization
>>> Manager API and Role-based MMC snap-in Administration UI (Authorization
>>> Manager Snap-in UI is only available on Windows Server 2003 family
>>> operating systems and on the Windows Server 2003 Administration Pack
>>> for Windows XP.)
>>> The Authorization Manager API provides a simplified development model
>>> in which to manage flexible groups and business rules and store
>>> authorization policies.
>>> Storage in Active Directory requires the domain to be at Windows Server
>>> 2003 functional level.
>>> Using the Windows 2000 Authorization Manager Runtime you can build
>>> server applications to use the Authorization Manager Role-based access
>>> control model that run on Windows 2000 Server family operation systems.
>>>
>>> Will using this totally negate DAC? Is there any way to not use DAC
>>> within a Windows environment using either 1st or 3rd part snap-ins?
>>>
>>
>>
>
>



Posted by Roger Abell [MVP] on August 24, 2006, 8:36 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Steve has pretty much answered you but I wanted to add on.

Due to ownership of new objects vesting in the creator, all Windows
versions prior to Vista cannot support a MAC model, at least not as
shipped (evented revocation of ownership upon create would be needed).

I have indications that Vista allows an alternative behavior, but I have yet
to fully explore how far this has actually been taken in implementation.
I am also concerned that if the behavior changes are in fact included they
will still fall short of enabling a true MAC implementation (they likely
will
certainly fall short for a default install's use of storage) if only due to
the
interactions from .Net CAS policy controlled applications.

As for RBAC, that depends on the definition used. What is the speaking
point?
http://csrc.nist.gov/rbac/rbacSTD-ACM.pdf#search=%22RBAC%22

If you mean a RBAC that requires that it be built on MAC, then obviously
Window in current releases is not there. The few things in Windows that
appear as if they might qualify as RBAC when added all together would not
qualify IMO as enabling a statement that Windows is even in part using an
RBAC model. Clearly some things, like named delegations in AD are grants
defined because they convey a set of elemental AD grants that are needed
for the AD right (role in AD?) delegated. The .Net security model comes
much closer to having a role model in its design/underpinnings. When one
speaks with AD architects at MS one understands that roles are the future,
but today as I see it Windows, overall including AD, uses a DAC model.
Of course, one can fairly easily implement a RBAC in Windows (that is based
on shortcomings of DAC).

Roger

"nomorespameventhoughthejapanesespamgivesmeachuckle"
> What are the different default and optional access control models for
> the following systems:
>
> Win NT
>
> Win 2000 (workstation and server)
>
> Win XP
>
> Win 2003 Server
>
> I read multiple reports that differ in opinion. Some say DAC for NT
> and 2000 and others say MAC and then some others say RBAC.
>
> I think that an upgrade exists to enable RBAC in NT and 2000 but that
> default it is DAC.
>
> Did Microsoft first introduce RBAC in Windows XP and 2003?
>
> Thanks!
>



Similar ThreadsPosted
Access Control to Drives September 24, 2005, 3:03 am
Access Control to LDAP on AD? October 14, 2005, 9:20 pm
Cut Security Costs - Access Control June 14, 2008, 1:23 am
Remote User "Quarantine" and access control May 18, 2006, 11:24 am
Parental Internet-access Control Software October 28, 2006, 1:03 pm
Parental control April 22, 2006, 2:08 am
surf control May 28, 2006, 1:09 pm
Parental control August 22, 2006, 8:05 pm
AVG (7.5) Control Center April 24, 2008, 1:24 am
Winfixer taking control of my pc January 4, 2006, 9:38 am

The site map in XML format XML site map

Contact Us | Privacy Policy