二、訪問(wèn)控制系統(tǒng)和方法

1、二、訪問(wèn)控制系統(tǒng)和方法主題Tokens/SSOKerberos攻擊/弱點(diǎn)/監(jiān)控IDS滲透測(cè)試什么是訪問(wèn)控制?如何實(shí)施訪問(wèn)控制?訪問(wèn)控制實(shí)施之前物理訪問(wèn)控制認(rèn)證密碼的問(wèn)題雙因子認(rèn)證令牌生物識(shí)別 Biometrics敏感度錯(cuò)誤錯(cuò)誤接受率錯(cuò)誤拒絕率CER單次登錄 Single sign-onKerberosKerberos的認(rèn)證過(guò)程1、用戶向AS認(rèn)證；2、AS發(fā)送初始票證給用戶；3、用戶請(qǐng)求訪問(wèn)文件服務(wù)器；4、TGS使用會(huì)話密鑰創(chuàng)建新票證；5、用戶提取一個(gè)會(huì)話密鑰并將票證發(fā)送給文件服務(wù)器。ASTGS初始票證1.23.4.5.會(huì)話密鑰票證會(huì)話密鑰KDC用戶實(shí)體文件服務(wù)器實(shí)體用戶和KDC共享一個(gè)密鑰；服

2、務(wù)和KDC共享另一個(gè)密鑰。訪問(wèn)控制的模型 MAC vs. DAC強(qiáng)制訪問(wèn)控制自主型訪問(wèn)控制基于角色的訪問(wèn)控制訪問(wèn)控制模型總結(jié)相關(guān)的訪問(wèn)控制技術(shù)訪問(wèn)控制列表 (ACL)PermissionAllowed action, ifobject is a fileAllow action if object is adirectoryR (read)Reads contents of a fileList contents of the directoryX (execute)Execute file as a program Search the directoryW (write)Change fi

3、le contentsAdd, rename, create files andsubdirectories標(biāo)準(zhǔn)的UNIX文件權(quán)限標(biāo)準(zhǔn)的NT權(quán)限PermissionAllowed action, ifobject is a fileAllow action if object is adirectoryNo accessNoneNoneListN/ARXReadRXRXAddN/AWXAdd & ReadN/ARWXChangeRWXDRWXDFull ControlAllAllR- ReadX - ExecuteW - WriteD - Delete訪問(wèn)控制管理訪問(wèn)控制實(shí)現(xiàn)的方法TEMPST訪問(wèn)控制監(jiān)控基于時(shí)間的動(dòng)態(tài)安全模型（PDR)時(shí)間訪問(wèn)控制攻擊滲透測(cè)試 - Penetration Testing