Intrusion Detection: Network Security Beyond the Firewall:The Role of Access Control in Your Environment
function GetCookie (name)
{
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen)
{
var j = i + alen;
if (document.cookie.substring(i, j) == arg) {
var end = document.cookie.indexOf (";", j);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(j, end));
}
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
var m1='';
var gifstr=GetCookie("UsrType");
if((gifstr!=0 ) && (gifstr!=null)) { m2=gifstr; }
document.write(m1+m2+m3);
Keyword
Title
Author
ISBN
Publisher
Imprint
Brief
Full
Advanced Search
Search Tips
Please Select
-----------
Components
Content Mgt
Certification
Databases
Enterprise Mgt
Fun/Games
Groupware
Hardware
IBM Redbooks
Intranet Dev
Middleware
Multimedia
Networks
OS
Prod Apps
Programming
Security
UI
Web Services
Webmaster
Y2K
-----------
New Titles
-----------
Free Archive
To access the contents, click the chapter and section titles.
Intrusion Detection: Network Security beyond the Firewall
(Publisher: John Wiley & Sons, Inc.)
Author(s): Terry Escamilla
ISBN: 0471290009
Publication Date: 11/01/98
function isIE4()
{
return( navigator.appName.indexOf("Microsoft") != -1 && (navigator.appVersion.charAt(0)=='4') );
}
function bookMarkit()
{
var url="http://www.itknowledge.com/PSUser/EWBookMarks.html?url="+window.location+"&isbn=0";
parent.location.href=url;
//var win = window.open(url,"myitk");
//if(!isIE4())
// win.focus();
}
Search this book:
Previous
Table of Contents
Next
Permissions for NT Files and Directories
The NT file system (NTFS) supports granular DAC. Each file in the NTFS is an object. Every NT object has a security descriptor consisting of the objects unique identifier and a pair of access control lists. The security descriptor for an object is initialized when the object is created. Figure 3.2 shows the components of the security descriptor.
Figure 3.2 Contents of the NT security descriptor.
The security descriptor contains a DAC ACL component and a SYSTEM ACL component. Normal NT user and group access rights for an object are stored in the DAC ACL. Each entry (ACE) in a DAC ACL identifies a particular user or group SID along with the access permissions granted to that subject. The special NT user SYSTEM, which represents the operating system itself, has a separate ACL. These two distinct ACLs are described in the next few sections.
DAC Access Control Lists
NT distinguishes between standard permissions and special permissions. Access permissions for an object are normally defined using the standard permissions that are logical groupings of special permissions. Consider the more low-level special permissions first.
Special permissions are similar to permission bits found in UNIX with two additions. First, an explicit option enables the subject to change the objects access permissions. If you have this permission for an object, even if you are not the objects owner, you will be allowed to modify its permissions. Unlike most UNIX systems, NT allows for the possibility that the objects owner may not be the only user who is allowed to change the permissions of an object. For example, user Joe may want users Bill and Jane to be able to set permissions on files that they work on together. Next, special permission can be granted to take ownership of an object. By default, the owner of the object controls its permissions. Taking ownership of an object is a powerful permission and is normally limited to the objects owner. The Administrator is allowed to take ownership of any object. Table 3.2 describes the special NT file permissions.
Table 3.2 NT Special Permissions
Permission
Allowed Action If Object Is a File
Allowed Action If Object Is a Directory
R
Read contents of file
View file and subdirectory names
X
Execute file as a program
Can change to subdirectories
W
Change file contents
Add, rename, create files and subdirectories
D
Delete file
Delete directory and subdirectories
P
Change file permissions
Change directory permissions
Standard permissions are summarized in Table 3.3. Notice that the intent is to provide more meaningful terms for users to administer access permissions than the granular special permissions. Whether in practice these higher level abstractions are easier for systems administrators is a matter of opinion.
Table 3.3 NT Standard Permissions
Permission
Allowed Action If Object Is a File
Allowed Action If Object Is a Directory
No Access
None
None
List
Not applicable
RX
Read
RX
RX
Add
Not applicable
WX
Add & Read
Not applicaable
RWX
Change
RWXD
RWXD
Full Control
All
All
Notice that the List and Add permissions have no interpretation for individual files. These permissions are meaningful only for directories. Recall from the discussions on UNIX permissions that a number of special meanings are applied to the permission bits depending on whether the object is a file or directory. The interpretations for the NT standard permissions are shown in Table 3.4 for files and Table 3.5 for directories.
Table 3.4 Interpretation of NT Standard Permissions for Files
Permission
Interpretation
No Access
Under no circumstances is the user allowed access to the file.
Read
Permission to execute the file, open the file, or display the files attributes.
Change
Permission to append to or change data in the file, to display the files owner and permissions, plus the Read permissions.
Full Control
Equivalent to Change with the additional capability to take ownership of the file.
Table 3.5 Interpretation of NT Standard Permissions for Folders
Permission
Interpretation
No Access
Under no circumstances is the user allowed access to the file.
List
Users can list files and subdirectories to which they have access but cannot list files or subdirectories to which they do not have explicit access in this folder.
Read
Permission to list files or subdirectories, execute programs, change into subfolders, and display attributes of files or subfolders.
Add
Files can be added to the folder. Neither Read nor List are implied by this permission.
Add & Read
Includes Add permissions and Read permissions combined.
Change
Permissions granted by Read augmented to include creation of subfolders and files, changing file or folder attributes, and deletion of the folders files and subfolders.
Full Control
Equivalent to Change with the additional capability to change permissons of the folder itself and to take ownership of the directory itself.
Previous
Table of Contents
Next
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.
Wyszukiwarka
Podobne podstrony:
098 100VA US Top 40 Singles Chart 2015 10 10 Debuts Top 100100 0013100 000120 Phys Rev Lett 100 016602 2008więcej podobnych podstron