AccessControlList(ACL)訪(fǎng)問(wèn)控制列表

AccessAccessControlList(ACL)訪(fǎng)問(wèn)掌握列表訪(fǎng)問(wèn)掌握是網(wǎng)絡(luò)安全防范和保護(hù)的主要策略，它的主要任務(wù)是保證網(wǎng)絡(luò)資源不被非法使用和訪(fǎng)問(wèn)。它是保證網(wǎng)絡(luò)安全最重要的核心策略之一。訪(fǎng)問(wèn)掌握涉及的技術(shù)也比較廣，包括入網(wǎng)訪(fǎng)問(wèn)掌握、網(wǎng)絡(luò)權(quán)限掌握、名目級(jí)掌握以及屬性控制等多種手段。訪(fǎng)問(wèn)掌握列表(ACL)是應(yīng)用在路由器接口的指令列表。這些指令列表用來(lái)告知路由器哪能些數(shù)據(jù)包可以收、哪能數(shù)據(jù)包需要拒絕。至于數(shù)據(jù)包是被接收還是拒絕，可以由類(lèi)似于 源地址、目的地址、端口號(hào)等的特定指示條件來(lái)打算。訪(fǎng)問(wèn)掌握列表從概念上來(lái)講并不簡(jiǎn)單，簡(jiǎn)單的是對(duì)它的 配置和使用，很多初學(xué)者往往在使用訪(fǎng)問(wèn)掌握列表時(shí)消滅錯(cuò)誤。下面是對(duì)幾種訪(fǎng)問(wèn)掌握列表的簡(jiǎn)要總結(jié)。IP訪(fǎng)問(wèn)掌握列表一個(gè)標(biāo)準(zhǔn)IP訪(fǎng)問(wèn)掌握列表匹配IP包中的源地址或源地址中的一局部，可對(duì)匹配的包實(shí)行拒絕或允許兩個(gè)操作。編號(hào)范圍是199的訪(fǎng)問(wèn)掌握列表是標(biāo)準(zhǔn)IP訪(fǎng)問(wèn)掌握列表。IP訪(fǎng)問(wèn)掌握列表IP訪(fǎng)問(wèn)掌握列表比標(biāo)準(zhǔn)IP訪(fǎng)問(wèn)掌握列表具有更多的匹配項(xiàng)，包括協(xié)議類(lèi)型、源地址、目的地址、源端口、目的端口、建立連接的和IP優(yōu)先級(jí)等。編號(hào)范圍是從100199的訪(fǎng)問(wèn)掌握列表是擴(kuò)展IP訪(fǎng)問(wèn)掌握列表。命名的IP訪(fǎng)問(wèn)掌握列表所謂命名的IP訪(fǎng)問(wèn)掌握列表是以列表名代替列表編號(hào)來(lái)定IP語(yǔ)句與編號(hào)方式中相像。標(biāo)準(zhǔn)IPX訪(fǎng)問(wèn)掌握列表標(biāo)準(zhǔn)IPX訪(fǎng)問(wèn)掌握列表的編號(hào)范圍是800-899，它檢查IPX源網(wǎng)絡(luò)號(hào)和目的網(wǎng)絡(luò)號(hào)，同樣可以檢查源地址和目的地址的節(jié)點(diǎn)號(hào)局部。擴(kuò)展IPX訪(fǎng)問(wèn)掌握列表IPX訪(fǎng)問(wèn)掌握列表在標(biāo)準(zhǔn)IPX訪(fǎng)問(wèn)掌握列表的根底上，增加了對(duì)IPX報(bào)頭中以下幾個(gè)宇段的檢查，它們是協(xié)議類(lèi)型、源Socket、目標(biāo)Socket。擴(kuò)展IPX訪(fǎng)問(wèn)掌握列表的編號(hào)范圍是900-999。命名的IPX訪(fǎng)問(wèn)掌握列表與命名的IP訪(fǎng)問(wèn)掌握列表一樣，命名的IPX訪(fǎng)問(wèn)掌握列表是使用列表名取代列表編號(hào)。從而便利定義和引用列表，同樣有標(biāo)準(zhǔn)和擴(kuò)展之分。AccessAccesstoken訪(fǎng)問(wèn)令牌WhatAreAccessTokens?什么是訪(fǎng)問(wèn)令牌？訪(fǎng)問(wèn)令牌是一個(gè)被保護(hù)的對(duì)象，包含了與用戶(hù)帳戶(hù)相關(guān)的辨識(shí)和特權(quán)信息。當(dāng)用戶(hù)登陸到一臺(tái)windows計(jì)算機(jī)，登陸進(jìn)程會(huì)驗(yàn)證用戶(hù)的登陸憑據(jù)。成功后，登陸進(jìn)程返回一個(gè)SIDSIDLSA〔主訪(fǎng)問(wèn)令牌〕。該訪(fǎng)問(wèn)令牌包括了由登錄進(jìn)程返回的SIDs和一份由本地安全策略分發(fā)給用戶(hù)以及用戶(hù)安全組的特權(quán)列表。此后，這份訪(fǎng)問(wèn)令牌的拷貝會(huì)跟每個(gè)代表用戶(hù)執(zhí)行的線(xiàn)程和進(jìn)程鏈接。2種訪(fǎng)問(wèn)令牌，主要令牌和代表令牌。每個(gè)進(jìn)程有一個(gè)主要令牌，其描述了與該進(jìn)程相關(guān)的用戶(hù)帳戶(hù)的安全上下文。主要訪(fǎng)問(wèn)令牌主要是安排給一個(gè)進(jìn)程去表示改進(jìn)程的默認(rèn)安全信息。代表令牌通常C/S的情景。代表令牌使得一個(gè)線(xiàn)程可以執(zhí)行在與其所在進(jìn)程不同的安全上下文中。SID以及帳戶(hù)的特權(quán)。用戶(hù)權(quán)利和訪(fǎng)問(wèn)對(duì)象〔賜予給這些帳戶(hù)和組的ad對(duì)象，文件，注冊(cè)表設(shè)置〕的許可：Securityprincipals，SIDs，Securitydescriptorsandaccesscontrollists(ACLs).UserrightsandpermissionsRelationshipofAccessTokenstoOtherAuthorizationandAccessControlComponentssidsid。更具體的訪(fǎng)問(wèn)令牌組件列表實(shí)例：User SIDGroupssid列表！PrivilegesAlistofprivilegesheldonthelocalcomputerbytheuserandbytheuser’ssecuritygroups.DefaultOwnerTheSIDfortheuserorsecuritygroupwho,bydefault,becomestheownerofanyobjectthattheusereithercreatesortakesownershipof.PrimaryGroupeDresyy.snsdyyePOSIXsubsystemandisignoredbytherestofWindowsServer2022.DefaultDiscretionaryAccessControlList(DACL)Abuilt-insetofpermissionsthattheoperatingsystemappliestoobjectscreatedbytheuserifnootheraccesscontrolinformationisavailable.ThedefaultDACLgrantsFullControltoCreatorOwnerandSystem.SourceTheprocessthatcausedtheaccesstokentobecreated,suchasSessionManager,LANManager,orRemoteProcedureCall(RPC)Server.TypeAvalueindicatingwhethertheaccesstokenisaprimaryorimpersonationtoken.ImpersonationLevelAvaluethatindicatestowhatextentaservicecanadoptthesecuritycontextofaclientrepresentedbythisaccesstoken.StatisticsInformationabouttheaccesstokenitself.Theoperatingsystemusesthisinformationinternally.RestrictingSIDsAnoptionallistofSIDsaddedtoanaccesstokenbyaprocesswithauthoritytocreatearestrictedtoken.RestrictingSIDscanlimitathread’saccesstollrntheuserisallowed.TSSessionIDAvaluethatindicateswhethertheaccesstokenisassociatedwiththeTerminalServicesclientsession.SessionReferenceReservedforinternaluse.SandBoxInertNonzeroifthetokenincludestheSANDBOX_INERTflag.AuditPolicySinceWindowsServer2022,usedforperuserauditing.OriginIntroducedwithWindowsServer2022.Ifthetokenresultedfromalogonusingexplicitcredentials,thenthetokenwillcontaintheIDofthelogonsessionthatcreatedit.Ifthetokenresultedfromnetworkauthentication,thenthisvaluewillbezero.CreatingtheSIDListforUserAccounttoAccessSystemTheMechanismforImpersonationAnaccesstokenisaprotectedobjectthatcontainsinformationabouttheidentityandprivilegesassociatedwithauseraccount.WhenauserlogsoninteractivelyortriestomakeanetworkconnectiontoacomputerrunningWindows,thelogonprocessauthenticatestheuser’slogoncredentials.Ifauthenticationissuccessful,thelogonprocessreturnsasecurityidentifier(SID)fortheuserandalistofSIDsfortheuser’ssecuritygroups.TheLocalSecurityAuthority(LSA)onthecomputerusesthisinformationtocreateanaccesstokninthiscase,theprimaryaccesstoken—thatincludestheSIDsreturnedbythelogonprocessaswellasalistofprivilegesassignedbylocalsecuritypolicytotheuserandtotheuserssecuritygroups.AfterLSAcreatestheprimaryaccesstoken,acopyoftheaccesstokenisattachedtoeveryprocessandthreadthatexecutesontheuser’sbehalheneverathreadorprocessinteractswithasecurableobjectortriestoperformasystemtaskthatrequiresprivileges,theoperatingsystemcheckstheaccesstokenassociatedwiththethreadtodeterminethelevelofauthorizationforthethread.Therearetwokindsofaccesstokens,primaryandimpersonation.Everyprocesshasaprimarytokenthatdescribesthesecuritycontextoftheuseraccountassociatedwiththeprocess.Aprimaryaccesstokenistypicallyassignedtoaprocesstorepresentthedefau