Week 2 Assignment
File Management Paper
University of Phoenix
On any computer system that has multiple users with different levels of security clearance there will be needed for a file protection. On a UNIX system that has 5000 users were 4990 of those users have the same level clearance a traditional UNIX file access control could be implemented. With a file access control scheme on the UNIX system each user is assigned a unique user identification number (user ID). A user on a UNIX system will also be assigned to a primary group as well as possibly a number of groups that will also be identified by a specific group ID. Any time a file is created by a user it is marked with that specific users ID as well as the user’s primary group ID. With the file access control type of protection scheme each specific user permissions can be controlled by the administrator. The permissions the administrator can control all three basic categories read, write, and execute. The permissions may be granted to three classes of users, the owner or creator of the file, the group to which the file belongs, and to all of the users on the system regardless of their group. An access control policy dictates the type of access this permitted under what circumstances and by whom. Discretionary access control (DAC) controls access based on the identity of the requester and on the rules associated with access and authorizations. A mandatory access control (MAC) controls access based on comparing security labels that indicate how sensitive or critical the system resources and applies accessibility based on eligibility to access certain resources. Role-based access control (RBAC) rituals access based on the rules that the user has within the system and on rules stating which accesses are allowed the user. The administrator will be able to control access to specific files and for the situation with the 5000 users 10 can be allowed access to the files that the 4990 are not allowed. Because files on the system need to be protected against intruders and threats password scheme needs to be in place. A password scheme is also in place to ensure each user only accesses their specific files each user has to be assigned a password. A basic example of a UNIX password scheme allows each user to select a password that can be up to eight characters long and then the password is converted into a 56 bit value using (7-bit ASCII). There are other types of password schemes with their own encryption routines.
In my opinion the Windows 7 access control scheme is more effective scheme to authenticate users. The user logs onto the system enters his or her passwords and when the logon is accepted a processes created for the user and an access token is associated with that process object. This access token includes the security ID (SID) that is the identifier for how the system identifies each user. I believe a token-based access control scheme is more effective because it speeds up access validation time. It also allows each process to modify security carrot sticks and limited ways without affecting processes running on behalf of the user.
Reference: Operating Systems: Internals and Design Principles, Seventh Edition, by William Stallings.