Control over who has access to what is one of the basic concepts for granting access to any user or machine. In an enterprise network, access control helps in limiting access of all users and machines to only those apps or data points that they need to perform their individual roles.
Access control as a concept refers to the security features that help control who has access to the resources in an operating system and what degree of access they have. As a security concept, access control or network access control is the basis that helps you segment your network, one of the fundamental requirements of network security.
In this article, we will discuss a few terminologies for controlling permissions on securable objects that are instrumental in access control. First, we’ll look at what securable objects are and what security description is, the two major concepts that will need to be aware of to understand controlling permissions better.
What Are Securable Objects & Security Descriptors?
Any object can be called a securable object if it has a security descriptor. Though all named Windows objects are securable, some unnamed objects, too, can have security descriptors. Some examples of named and unnamed objects are:
Unnamed Objects — Processes and threads such as a huddle in Slack. They are not saved, and the process or thread ends the moment the activity stops.
Named Objects — Files, directories, access tokens, network shares, devices, printers, desktops, Windows stations, and active directory objects such as users or user groups.
Security Descriptors hold the security information about securable objects, such as:
- Ownership details like security identifiers (SID) of the owner of an object and the group it belongs to.
- A list of the users and groups allowed or denied access and the degree of access they have to the securable object. This list is called the discretionary access control list (DACL).
- A list that contains the types of access attempts that are to be audited. This list is called the system access control list (SACL).
In the context of Active Directory, all objects have security descriptors. You will find more information about DACL and SACL in the next section, where we’ll discuss the access control list and its components.
What Is an Access Control List?
The access control list contains permissions for each user and machine in the context of an object or a resource. The list specifies the users and machines with access to a specific object and the degree of access regarding what operations are permitted for each user or machine.
An ACL can be used for controlling permissions for any resources in the network as well as for the entire network. They can be installed in routers or switches to control the access of users and machines accessing the network. At the same time, for objects, the security description will carry the access control lists with users and the level each user has to the object.
One of the most common examples of ACL is a file ACL that will have each user with different levels of access defined, such as read-only, write or edit. Let’s take the example of an attendance tracker app for a school. A student may have read-only access, whereas a teacher or an administrator may have access to edit the tracker.
How Does an Access Control List Work?
Each user or machine with access to an object, system, or network is one entry in the ACL and is referred to as an access control entry (ACE). An ACE may be an individual user or a group with common roles.
For an example of an ACE for a group or role, a user with the role of an HR analyst for an HR portal app will have edit privileges, but a user from the customer support group may have read access only.
Each access control entry (ACE) will have a defined access right per the company policy requirements that define whether the access requesting point is allowed or denied access. It will also define which access session will be audited and how they are audited for that security principal.
Use Cases of Access Control List
Access control lists have multiple usages, from controlling permissions on objects like printers to operating systems like Windows and Linux and remote access routers like Wi-Fi routers or VPNs. They work as a checklist for confirming who has access and what degree of access, which could be for a device used directly by an end-user or network access devices like RADIUS servers.
For network access control, the access control list helps network administrators segment networks for a greater degree of network security and granular control over all users and machines connecting to the network. These types of ACLs are called Networking ACLs. Networking ACLs will also define routers and network switches, the type of network allowed to interface with the network — for example, the access control list in a RADIUS server.
The access control list for machines will hold information about the user access permission for that machine and the degree of access a user has to the system. These ACL types instructing OSes about user access are called File system ACLs, as they define access to files and directories.
For example, a student with access to a cafeteria computer may only have access to check their email. In contrast, a network administrator will have access to change settings that may limit the level of access to the intranet only.
Types of Access Control Lists
As discussed above, every object has a security descriptor, and two important ACLs that they have are as follows.
Discretionary Access Control List (DACL)
A DACL or discretionary access control list lists users and groups allowed or denied access to an object. A user or a member of a particular group that DACL does not identify will be denied access.
By default, a DACL is controlled by the user who created the object or the owner of the object that the DACL belongs to. Just like in the case of an ACL, each entry of the list is called an access control entry or ACE.
System Access Control List (SACL)
A SACL or system access control list is the list that defines the users or events that need auditing to be done when they are granted or denied access to the object. This is very useful in identifying security breaches and determining the exact location and degree of damage.
Just as in the case of a DACL, the system access control lists are controlled by default by the owner or creator of the object. The access control entries (ACEs) of an SACL determine whether recording has to be done for a failed attempt or a successful one at the time of a user trying to access the object.
Difference Between ACL, DACL & SACL
Often used interchangeably with ACL DACL, and SACL are access control lists. However, they differ from each other mainly because of their scope.
| ACL | DACL | SACL |
| The access control list specifies the users and machines with access to a specific object, the degree of access they have and the security policies for audits. | A DACL will contain details that help identify which user or group has access to an object and who is denied access. | An SACL will define which access-granted or access-denied events are to be recorded for auditing. |
| An ACL can either define user or group access or define which access-denied or granted events are to be recorded for auditing. | Only the access control lists that define the degree of access for users and groups are called DACLs. | Only access control lists that define how each access request attempt is to be audited are called SACL. |
Implementing Access Control on Windows
Windows access control allows systems running on Windows OS (Operating System) to control who has access to the resources in the operating system and to what degree they have access. Once a user is authenticated to access the system, Windows OS has built-in access control solutions to verify if the user has the rights to permissions to access a resource within the system.
The shared resources are available to users and groups along with the resource owner. In order to protect them from unauthorized access, Windows access control uses access control lists (ACL) such as DACL and SACL after defining the ACE to control and audit the access.
Some examples of objects or resources in Windows OS are folders, files, printers, and Active Directory Domain Services (AD DS) objects.
How Windows Access Control Works
Windows access control system uses access control lists DACL and SACL for defining permission levels and audit protocols. Each resource owner can assign permission rights to users in the access control lists and define how checks or audits are performed.
A DACL contains the list of users and groups, with each user as one ACE where the resource or object owner will assign permission levels. These access levels are usually categorized as read, write, modify, or full control. Using an SACL, system administrators can control which access-granted or denied events need to be recorded (for auditing purposes) during access control checks.
Challenges With Windows Access Control
Windows access control is one of the most widely used solutions; however, it is not the most effective tool for network access control for your entire network.
It can only be used with systems that support Windows OS. In the current environment, where there are multiple types of systems connecting to your network, it fails to be the one central solution for all your systems. Also, with Windows access control, there is a need for on-prem infrastructure that is not ideal in today’s environment, with users logging in from multiple remote locations.
Another major disadvantage with Windows access control is that authentication of the user that is logging in to the system is often done using password-based authentication, which is not considered the most secure method of authentication. Passwords can be stolen, easily replicated, or shared, making them not the most reliable method of authentication. The whole exercise of access control becomes compromised if the first step of authenticating the user’s identity with absolute certainty is missing.
Access Control Lists With Other Solutions
The use of an access control list, however, is not limited to just Windows access control. Controlling who has access to which degree is the basis of modern-day network access control, and an ACL plays a big role in executing access control. Access control lists are an integral part of any technology for network access control. Here are some examples of ACL usage with other solutions.
Access Control Lists (ACL) With Azure
The use of an ACL in Windows is not limited to on-prem AD. Access control lists are used in Azure too. As a part of its cloud infrastructure, Microsoft Azure uses ACL for access control.
Though Azure is a role-based access control solution, it does have the option to use and manage ACLs for files and directories. Each file and directory in your account storage will have an access control list. Whenever there is an operation on the file or directory, an ACL check is performed to ensure that the user or group has the right security permissions for the operation.
Access Control Lists (ACL) With RADIUS
Access control lists are an important component of a RADIUS server. An ACL is configured on a RADIUS server and filters IP traffic. Once a user or machine is authenticated by the server, the RADIUS server dynamically assigns an ACL for IP traffic filtering to grant or deny access to network resources.
An ACL helps RADIUS determine the access level and direct access requests to connect to the network they have access to. An ACL plays an important role in defining and implementing network segmentation policies for enhanced network security.
Drawbacks of Access Control Lists
One of the major issues with the access control list is that it assumes the user or machine accessing has already been verified. Therefore, its effectiveness depends on the authentication protocol used when requesting access to the network.
With password-based authentication, it is impossible to confirm that the user or machine requesting access is who they say they are, especially in an environment where there are a lot of users logging in to your network remotely. Passwords are susceptible to over-the-air attacks, and human involvement in the authentication process always leaves room for error.
Even if you create a strong access control list, keeping in mind all network policies, it may not be an effective enough tool for network access control if the authentication method has been compromised.
Cloud RADIUS for Network Access Control
Cloud RADIUS can help mitigate the risks involved with password-based authentication and provides a well-rounded infrastructure for network access control. Some of the biggest strengths of Cloud RADIUS are as follows.
- Cloud RADIUS uses certificate-based authentication that gives you a passwordless authentication experience for Wi-Fi, VPN, single-sign-on, and wired, to name a few. It has a built-in PKI turnkey solution that automates end-to-end lifecycle management of certificates. With certificates, you can be sure of the user’s identity, as certificates cannot be stolen or replicated, thus giving you better control over your network.
- Cloud RADIUS offers easy-to-customize certificate templates that help you implement network policies with a greater degree of precision. You can define attributes to ensure that the users are directed to their appropriate network and are given access only to the degree they are authorized for.
- It is completely cloud-based, so there is no need for on-prem infrastructure that is expensive and time-consuming to set up, manage, and scale. It is natively integrated with cloud identities like Google, Okta, and Azure AD, which makes for a seamless passwordless authentication experience with the real-time implementation of network policies and network access control based on user, group, and attributes.
- It is ideal for an enterprise network with people connecting remotely using different types of devices, from managed devices to BYOD and IoT. SecureW2’s Cloud RADIUS onboarding solutions are easy to use, and the solution is closely tied with MDM solutions like Jamf and Intune.
- Cloud RADIUS context-based access control uses artificial intelligence for behavior learning that helps monitor and detect any suspicious activity in your network and terminate it dynamically.
Implement Modern Cloud Access Control With SecureW2
Access control as a concept of network security is vast and has many facets that only one solution cannot cover. ACLs are crucial in implementing network access control. However, they alone cannot secure your information. There is a need for a comprehensive solution that covers all aspects of access control, authentication, authorization, and accounting.
SecureW2 offers end-to-end network access control solutions from onboarding to creating and implementing customized network access policies to monitoring network activity. Secure your network with SecureW2 solutions that are affordable and can be customized to best fit your organization’s needs. Click here to learn more about pricing.
