Access Control
Differentiation between Authentication and Authorization
Access control is the means of authorizing a user to access a certain resource at a certain time. This is different from authentication where you are only verifying a user's identity. Granted, when you log into a system there is normally an authentication that takes place as well as an authorization. For example letís look at a typical Windows login scenario:
• A user goes up to a workstation in a Windows domain and types his or her username and password.
• This gets sent to the domain controller which first authenticates the user (is the user valid), then authorizes the user to log into the workstation (authorization). In most cases this is done behind the scenes where the user doesnít realize (or even care) what is taking place.
Now let's look at an exception:
• The user may have a valid account, but may be trying to log into a server or other resource. The server may be restricted to certain accounts so the user would see an error message that says they cannot log into this workstation. This is authorization.
Access Control in a UNIX World
In a typical UNIX environment, if you have an account with a valid username and password you can log in. This goes for any of the services such as FTP, TELNET, SSH, any of the "R" commands (RLOGIN, RSH, REXEC and so forth). Whilst most of the newer flavors of UNIX are coming out with some form of access control OR the operating system is locked down to allow only SSH (and SSH related commands), the same rule holds; if you have a valid username and password you can log into the system.
Special Consideration for the "root" account?
Now what about the "root" account? Best practices with respect to security dictate that users have "least privilege", that is the least amount of access required for their job function. However, without implementing something akin to "sudo", giving someone root access is giving them the keys to the city. In addition, "sudo" is system specific.
BoKS Manager
The solution to UNIX access woes are solved with BoKS Manager from FoxT. With 20 years of experience with UNIX Access Control, nobody does a better job of UNIX access control. Here are some key advantages of BoKS Manager:
- Centralized user account management
- Control over the typical services such as TELNET, FTP, RLOGIN, REXEC as well as SSH Enhanced "root" access with SUEXEC that includes keystroke logging
- Logging of all access attempts, administration and security activities to provide non- repudiation
And more...
At MBD Consulting, we have vast experience with this product as well, spanning from its relative infancy in 1995. Call us or email us today to find out how BoKS Manager can simplify and enhance your UNIX environment.