The exam’s most frequent OS security trap is assigning the wrong function to AD vs. Group Policy. They are complementary but distinct. The separation is clean once you internalize one rule:
- Active Directory = WHO — who the user is, what groups they belong to, whether their account exists, what their password is. AD is a database of identities and resources. It does not push settings to computers.
- Group Policy = WHAT — what the computer or user can and cannot do. GP pushes settings (password rules, screen locks, USB blocks) to machines and users. It relies on AD as its delivery infrastructure but is a separate technology.
Common wrong answers to recognize and reject:
- “Active Directory enforces password complexity on all workstations” — Wrong. Password complexity is a Group Policy setting, not an AD user attribute.
- “Group Policy stores user accounts and handles authentication” — Wrong. Authentication is AD’s function.
- “Group Policy can function as a standalone without Active Directory” — Partially wrong. Local Group Policy exists on every Windows machine but has no central management. Domain-scale Group Policy requires AD.
Help desk tasks (password resets, account unlocks, group membership changes) = Active Directory.
Security configuration deployment (screen lock, USB disable, login scripts) = Group Policy.
DAC and MAC are tested as a concept pair on the exam. The distinguishing question is always: who has the authority to set permissions?
- DAC — the owner decides. In standard Linux, the user who creates a file controls who can access it. The system enforces those choices, but the choice itself belongs to the owner. This is “discretionary” because it is at the owner’s discretion.
- MAC — the policy decides. An administrator defines security rules at the system level. No user — not even the resource owner — can grant permissions that the policy prohibits. This is “mandatory” because the policy is mandatory and cannot be circumvented.
The exam trigger phrases:
- “Users cannot override security policies regardless of file ownership” → MAC
- “Resource owners determine who can access their files” → DAC
- “Centrally enforced, cannot be changed by users” → MAC
- “Default Linux access control model” → DAC
- “SELinux” → always MAC
Memory hook: Discretionary = your own discretion (the owner chooses). Mandatory = you have no choice (the policy mandates it).
The exam scenario that catches candidates off guard: Linux file permissions (DAC) would allow an access, but the access is still denied. Candidates reach for iptables, sudo, or AppArmor. The answer is SELinux.
How SELinux interacts with Linux DAC permissions:
- Linux checks DAC file permissions first. If DAC denies, the access is blocked — SELinux is not consulted.
- If DAC permits, SELinux policy is checked second. If SELinux denies, the access is blocked regardless of what DAC said.
- Both must allow. DAC alone permitting is not sufficient.
Application confinement in practice: The web server process runs as user apache. In DAC, apache might have read access to its home directory and several configuration files. In SELinux, the httpd_t process label is only allowed to access specific resource labels — web content, web ports, web logs. Even if apache has DAC read access to /etc/shadow, the SELinux policy for httpd_t does not include the shadow_t label — access denied.
Exam scenario: “The file permissions would have allowed the access, but it was denied.” → SELinux enforced MAC policy after DAC check passed.
The principle of least privilege runs through the entire chapter, implemented differently at each layer. The exam tests whether candidates can identify which technology is the right tool for least-privilege enforcement in a given context:
- Active Directory — identity-layer least privilege: Users get access only to the groups (and therefore resources) their role requires. Access is provisioned by group membership, not broad individual grants. Offboarding removes group memberships, immediately revoking access.
- Group Policy — workstation-layer least privilege: Standard users cannot install software, access system tools, or change security settings. Admin rights are removed from end-user accounts. Users can only do what the policy explicitly permits on their workstation.
- SELinux — kernel-layer least privilege: Processes are confined to exactly the kernel resources their security label permits. No runtime override is possible. Least privilege is enforced even against root-level exploits because SELinux policy can restrict what even root can do within a process context.
The exam question pattern: “Which technology enforces least privilege at the operating system kernel level?” → SELinux. “Which technology prevents users from installing unauthorized software on Windows workstations?” → Group Policy. “Which technology limits user access to only the network resources their role requires?” → Active Directory (group-based access control).