Chapter 91 · Flashcards

Operating System Security — Flashcards

Ten cards covering Active Directory objects and functions, Group Policy capabilities and scope, the DAC vs. MAC distinction, SELinux architecture and application confinement, and the principle of least privilege. Click any card to flip it.

What is Active Directory, and what five categories of objects does it store?

Active Directory is Microsoft’s centralized directory service for Windows networks. It stores: 1. User accounts (credentials, group memberships). 2. Computer accounts (all domain-joined devices). 3. Security groups (collections sharing a permission set). 4. File shares and printers (network resources). 5. Organizational Units (OUs) (containers for policy targeting and delegation). AD is the single source of truth for identity in a Windows domain.

What are the four main help desk tasks performed through Active Directory?

1. Password resets — when a user forgets or expires their password. 2. Account creation — provisioning new employees with domain credentials. 3. Account deletion/disabling — removing access when someone leaves; disabling preserves audit history. 4. Account unlock — restoring access after too many failed login attempts triggered a lockout. Also: group membership changes to grant or revoke resource access.

What is the security advantage of group-based access control in Active Directory over assigning permissions to individual users?

With group-based access control, permissions are assigned once to the group. Adding a user to the group instantly grants all the group’s access rights; removing them revokes it. This scales to thousands of users: instead of editing permissions on every resource for every user, administrators manage group membership. It also reduces the chance of permission errors and makes access reviews simpler — review the group, not hundreds of individual ACL entries.

What is Group Policy, where is it managed, and what does it depend on to work at domain scale?

Group Policy is the Windows mechanism for centrally deploying configuration and security settings to domain-joined computers and users. It is managed through the Group Policy Management Editor. Settings are packaged in Group Policy Objects (GPOs) linked to OUs, domains, or sites in Active Directory. Domain-scale Group Policy depends on Active Directory — GPOs are stored in AD and delivered by domain controllers. Without AD, only Local Group Policy (single machine, no central management) is available.

Name four concrete security settings that Group Policy can enforce across all Windows workstations from a single console.

1. Password policy — minimum 14 characters, complexity requirements (upper, lower, number, symbol). 2. Screen lock timeout — lock after 5 minutes of inactivity. 3. USB storage restriction — disable removable media on all workstations. 4. Software restriction — prevent users from installing unauthorized applications. Also common: audit logging on all systems, firewall rule deployment, automatic network drive mapping, certificate deployment.

What is Discretionary Access Control (DAC), and what is its key security limitation?

DAC — the resource owner controls permissions. In Linux, the user who creates a file decides who can read, write, or execute it (chmod/chown). Key limitation: if a user account or process is compromised, the attacker inherits all permissions that user/process had. A compromised process can access any resource the owner granted it access to — there is no kernel-level confinement preventing the process from using those permissions maliciously.

What is Mandatory Access Control (MAC), and how does it differ from DAC?

MAC — a central administrator defines security policies that control all access. Users and processes cannot override these policies, even if they are the resource owner. In DAC, the owner is sovereign over their resources. In MAC, the policy is sovereign — owner preferences are irrelevant if they contradict the policy. MAC provides stronger post-compromise protection because an attacker controlling a process is still confined to what the MAC policy permits for that process label.

What is SELinux, who developed it, and which Linux distributions include it by default?

SELinux (Security-Enhanced Linux) is a set of security patches for the Linux kernel that adds Mandatory Access Control. Originally developed by the NSA, it is now open source. It is included by default in Red Hat Enterprise Linux (RHEL), CentOS, and Fedora. Because it is open source, it can also be installed on other Linux distributions. SELinux adds MAC capabilities without replacing the existing DAC system — both checks are enforced, and both must allow an access for it to succeed.

How does SELinux confine a web server process, and why does this limit the damage from a successful exploit?

SELinux assigns every process a security label (context). Policy rules define which process labels can access which resource labels. A web server process label (e.g., httpd_t) is only permitted to access web content directories, listen on web ports, and perform web-related operations. If the server is exploited: the attacker cannot read /etc/shadow (wrong label), cannot modify system binaries (wrong label), cannot open arbitrary outbound connections. The breach is contained within the web server’s security context — even though the process is fully compromised.

What is the principle of least privilege, and which three technologies in this chapter enforce it?

Least privilege: users and processes receive only the minimum permissions necessary to perform their required functions — nothing more. It reduces the attack surface and limits the impact of compromised accounts. Three implementations: Active Directory — group-based permissions grant only the access each role needs. Group Policy — restricts what standard users can do on workstations (no software install, no system settings). SELinux — confines each process to exactly the kernel-level resources its security policy permits.