Security Management Tools and Authentication

Security Management Tools

Tools in this category are used to manage the following Windows features

Access control

Authentication

Encrypting File System

Public Key Infrastructure

Software restriction policies

Windows Time service

Access Control Access control is the ability to permit or deny the use of a particular resource by a particular entity. Access control mechanisms can be used in managing physical resources (such as a movie theater, to which only ticketholders should be admitted), logical resources (a bank account, with a limited number of people authorized to make a withdrawal), or digital resources (for example, a private text document on a computer, which only certain users should be able to read).

Item control or electronic key management is an area within (and possibly integrated with) an access control system which concerns the managing of possession and location of small assets or physical (mechanical) keys.

Access control models used by current systems tend to fall into one of two classes those based on capabilities and those based on access control lists (ACLs). In a capability-based model, holding an unforgeable reference or capability to an object provides access to the object (roughly analogous to how possession of your house key grants you access to your house); access is conveyed to another party by transmitting such a capability over a secure channel. In an ACL-based model, a subject’s access to an object depends on whether its identity is on a list associated with the object (roughly analogous to how a bouncer at a private party would check your ID to see if your name is on the guest list); access is conveyed by editing the list. (Different ACL systems have a variety of different conventions regarding who or what is responsible for editing the list and how it is edited.)

Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject).

Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability where

➢        identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in;

➢        Aauthorization determines what a subject can do;

➢        Accountability identifies what a subject (or all subjects associated with a user) did.

Authentication

Authenticators are commonly based on at least one of these four factors

➢        Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account.

➢        Something one have, such as a smart card or security token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account.

➢        Something’s are, such as fingerprint, voice, retina, or iris characteristics.

➢        Where one is, for example inside or outside a company firewall, or proximity of login location to a personal GPS device.

Encrypting File System

The Encrypting File System (EFS) is a file system driver that provides file system-level encryption in Microsoft Windows (2000 and later) operating systems, except Windows XP Home Edition, Windows Vista Basic, and Windows Vista Home Premium. The technology enables files to be transparently encrypted on NTFS file systems to protect confidential data from attackers with physical access to the computer.

User authentication and access control lists can protect files from unauthorized access while the operating system is running, but are easily circumvented if an attacker gains physical access to the computer. One solution is to store the files encrypted on the disks of the computer. EFS does this using public key cryptography, and aims to ensure that decrypting the files is extremely difficult without the correct key. However, EFS is in practice susceptible to brute force attacks against the user account passwords. In other words, encryption of files is only as strong as the password to unlock the decryption key.