If you’re planning on taking the Security+ exam, you should have a good understanding of implementing logical access control methods. When studying these methods, it’s valuable to understand some underlying principles.
For example, can you answer this question?
Q. You maintain a training lab with 18 computers. You have enough rights and permissions on these machines so that you can configure them as needed for classes. However, you do not have the rights to add them to your organization’s domain. Which of the following choices BEST describes this example?
A. Least privilege
B. Need to know
C. User-based privileges
D. Separation of duties
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Logical access control methods are implemented through technologies such as Group Policy and account management tools. They control access to the logical network as opposed to controlling access to the physical areas of a building or physical access to devices within the network. Some underlying principles are the principle of least privilege and the principle of need to know.
Least Privilege
The principle of least privilege is an example of a technical control implemented with access controls. Privileges are the rights and permissions assigned to authorized users. Least privilege specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more. For example, if Lisa needs read access to a folder on a server, you should grant her read access to that folder, but nothing else.
A primary goal of implementing least privilege is to reduce risks. As an example, imagine that Carl works at the Nuclear Power Plant, but administrators have not implemented the principle of least privilege. In other words, Carl has access to all available data within the Nuclear Power Plant, not just the limited amount of data he needs to perform his job. Later, Lenny gets into trouble and needs money, so he convinces Carl to steal data from the power plant so that they can sell it. In this scenario, Carl can steal and sell all the data at the plant, which can result in serious losses.
In contrast, if administrators applied the principle of least privilege, Carl would only have access to a limited amount of data. Even if Lenny convinces him to steal the data, Carl wouldn’t be able to steal very much simply because he doesn’t have access to it. This limits the potential losses for the power plant.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
This principle applies to regular users and administrators. As an example, if Marge administers all the computers in a training lab, it’s appropriate to give her administrative control over all these computers. However, her privileges don’t need to extend to the domain, so she wouldn’t have administrative control over all the computers in a network. Additionally, she wouldn’t have the privileges required to add these computers to the domain, unless that was a requirement in the training lab. Similarly, if a network administrator needs to review logs and update specific network devices, it’s appropriate to give the administrator access to these logs and devices, but no more.
Many services and applications run under the context of a user account. These services have the privileges of this user account, so it’s important to ensure that these accounts are only granted the privileges needed by the service or the application. In the past, many administrators configured these service and application accounts with full administrative privileges. When attackers compromised a service or application configured this way, they gained administrative privileges and wreaked havoc on the network.
Remember this
Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions.
Need to Know
The principle of need to know is similar to the principle of least privilege in that users are granted access only to the data and information that they need to know for their job. Notice that need to know is focused on data and information, which is typically protected with permissions. In contrast, the principle of least privilege includes both rights and permissions.
Rights refer to actions and include actions such as the right to change the system time, the right to install an application, or the right to join a computer to a domain. Permissions typically refer to permissions on files, such as read, write, and modify.
Q. You maintain a training lab with 18 computers. You have enough rights and permissions on these machines so that you can configure them as needed for classes. However, you do not have the rights to add them to your organization’s domain. Which of the following choices BEST describes this example?
A. Least privilege
B. Need to know
C. User-based privileges
D. Separation of duties
Answer is A. When following the principle of least privilege, individuals have only enough rights and permissions to perform their job, and this is exactly what is described in this scenario.
Need to know typically refers to data and information rather than the privileges required to perform an action, such as adding computers to a domain.
User-based privileges refer to giving permissions to individual users rather than groups, and this question doesn’t address either user-based privileges or group-based privileges.
Separation of duties is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process, and it isn’t addressed in this question either.
