HostedDB - Dedicated UNIX Servers
fips191_17 FIPS PUB 191 •     termination of connection after multiple failed logins •     user notification of ’last successful login’ and ’number of login failures’, •     real-time user verification mechanism, •     cryptography with unique user keys. 2.2.2 Access Control This service protects against the unauthorized use of LAN resources, and can be provided by the use of access control mechanisms and privilege mechanisms.   Most file servers and multi-user workstations provide this service to some extent.   However, PCs which mount drives from the file servers usually do not.   Users must recognize that files used locally from a mounted drive are under the access control of the PC.  For this reason it may be important to incorporate access control, confidentiality and integrity services on PCs to whatever extent possible.   Appendix C highlights some of the concerns that are inherent in the use of PCs. According to [NCSC87], access control can be achieved by using discretionary access control or mandatory  access  control.    Discretionary  access  control  is  the  most  common  type  of  access control used by LANs.   The basis of this kind of security is that an individual user, or program operating on the user’s behalf is allowed to specify explicitly the types of access other users (or programs   executing   on   their   behalf)   may   have   to   information   under   the   user’s   control. Discretionary security differs from mandatory security in that it implements the access control decisions of the user.  Mandatory controls are driven by the results of a comparison between the user’s trust level or clearance and the sensitivity designation of the information. Access control mechanisms exist that support access granularity for acknowledging an owner, a specified group of users, and the world (all other authorized users).   This allows the owner of the file (or directory) to have different access rights than all other users, and allows the owner to  specify  different  access  rights  for  a  specified  group  of  people,  and  also  for  the  world. Generally  access  rights  allow  read  access,  write  access,  and  execute  access.     Some  LAN operating systems provide additional access rights that allow updates, append only, etc. A LAN operating system may implement user profiles, capability lists or access control lists to specify  access  rights  for  many  individual  users  and  many  different  groups.     Using  these mechanisms allows more flexibility in granting different access rights to different users, which may  provide  more  stringent  access  control  for  the  file  (or  directory).    (These  more  flexible mechanisms prevent having to give a user more access than necessary, a common problem with the three level approach.)  Access control lists assign the access rights of named users and named groups to a file or directory.  Capability lists and user profiles assign the files and directories that can be accessed by a named user. 19