The Mandatory Access Control Method Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Security is a set of processes and products. In order for a security program to be effective, all of the following parts must work and be coordinated by the organization:

1) Antivirus software

2) Access control

3) Authentication


5)accessing the internet

Access control This area evaluates mechanisms that protect an organization from internal and external intrusions. Issues such as password management, authentication systems, and event logging are part of this section

Implementing Access Control

The process of implementing access control is critical. Access control defines how users and Systems communicate and in what manner. In other words, it limits-or controls-access To system resources, including data, and thus protects information from unauthorized Access. Three basic models are used to explain access control.

The Mandatory Access Control Method

The Mandatory Access Control (MAC) model is a static model that uses a predefined set of access privileges for files on the system. The system administrators establish these parameters and associate them with an account, files, or resources.

The MAC model can be very restrictive. In a MAC model, administrators establish

access. Users can't share resources dynamically unless the static relationship already exists.

The acronym MAC appears in numerous computer-related contexts. One of

the most common uses is to represent the Media Access layer in networking.

Be careful not to confuse MAC addressing as it relates to network cards with

Mandatory Access Control.

MAC uses labels to identify the level of sensitivity that applies to objects. When a user

attempts to access an object, the label is examined to see if the access should take place or be denied. One key element to remember is that when mandatory control is applied, labels are required and must exist for every object.

The Discretionary Access Control Method

The Discretionary Access Control (DAC) model allows the owner of a resource to establish privileges to the information they own. The difference between DAC and MAC is that labels are not mandatory but can be applied as needed.

The DAC model allows a user to share a file or use a file that someone else has shared.

It establishes an access control list (ACL) that identifies the users who have authorization to access that information. This allows the owner to grant or revoke access to individuals or groups of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.

The Role-Based Access Control Method

The Role-Based Access Control (RBAC) model allows a user to act in a certain predetermined manner based on the role the user holds in the organization. The roles almost always shadow the organizational structure.

Users can be assigned roles systemwide and can then perform certain functions or duties based on the roles they're assigned. An example might be a role called salesperson. The user assigned the salesperson role can access only the information established for that role. Users may be able to access this information from any station in the network, based strictly on their role. A sales manager may have a different role that allows access to all of the individual salespersons' information.

The RBAC model is common in network administrative roles.

Understanding Authentication

Authentication this is one of the mainly critical parts of a security system. Its division of a process that is besides referred to as identification and authentication. The identification procedure starts as soon as a user logon name is typed into a sign-on screen. Authentication is proficient by exciting the argue regarding who is access the reserve. With no authentication, any person is capable of claim to be anyone.

Network authentication can't be seen by a user who uses a domain account. Local users who use computer account must give qualifications (such as a user name and password) whenever they get into a network resource. Through using the domain account, the client has qualifications that are automatically used for on its own sign-on.


Biometric readers use physical characteristics to identify the user. Such devices are becoming

more common in the business environment. Biometric readers include hand scanners, retinal scanners, and soon, possibly, DNA scanners. To gain access to resources, you must pass a physical screening process. In the case of a hand scanner, the screening may include fingerprints, scars, and markings on your hand. Retinal scanners compare your eye's retinal pattern to a stored retinal pattern to verify your identity. DNA scanners will examine a unique portion of your DNA structure to verify that you are who you say you are


Certificates are one more common form of authentication. A certificate includes a digital autograph from the certification license so as to issue the certificate. In the EAP-TLS certificate authentication process, your computer present its client certificate to the distant approach server, and the distant approach server presents its computer certificate to client computer, as long as common authentication. Certificate is authenticated by means of a in the public domain key to confirm the integrated digital signature.

Challenge Handshake Authentication Protocol

Challenge Handshake Authentication Protocol (CHAP) challenges a system to verify identity.

CHAP doesn't use a user ID/password mechanism. Instead, the initiator sends a logon request from the client to the server. The server sends a challenge back to the client. The challenge is encrypted and then sent back to the server. The server compares the value from the client and,

if the information matches, grants authorization. If the response fails, the session fails, and the request phase starts over. Figure 1.4 illustrates the CHAP procedure. This handshake method involves a number of steps and is usually automatic between systems

Password Authentication Protocol

Password Authentication Protocol (PAP) offers no true security, but it's one of the simplest forms of authentication. The username and password values are both sent to the server as clear text and checked for a match. If they match, the user is granted access; if they don't match, the user is denied access. In most modern implementations, PAP is shunned in favor of other, more secure authentication methods


Firewalls are individual of the primary lines of security in a network. Here are unlike types of

Firewalls and they preserve to be either set -alone systems or built-in in other devices for instance routers or servers. Firewall solutions with the intention of market as hardware lone and others that are software lone. A lot of firewalls, consist of integrate software that is accessible for servers or workstations.

Firewalls are appropriate as appliances, significance installed as the most important device sorting out two networks. Appliances are self-supporting devices to facilitate function in a largely independent manner, require less preservation and hold up than a server-based product.

Firewalls perform as one or extra of the following:

- Envelope filter

- Deputy firewall

- Stateful assessment firewall

Packet Filter Firewalls

A firewall operating as a packet filter passes or blocks traffic to specific addresses based on the type of application. The packet filter doesn't analyze the data of a packet; it decides whether to pass it based on the packet's addressing information. For instance, a packet filter may allow web traffic on port 80 and block Telnet traffic on port 23. This type of filtering is included in many routers. If a received packet request asks for a port that isn't authorized, the filter may reject the request or simply ignore it. Many packet filters can also specify which IP addresses can request which ports and allow or deny them based on the security settings of the firewall.

Packet filters are growing in sophistication and capability. A packet filter firewall can

allow any traffic that you specify as acceptable. For example, if you want web users to access your site, then you configure the packet filter firewall to allow data on port 80 to enter. If every network were exactly the same, firewalls would come with default port settings hardcoded, but networks vary, so the firewalls don't include such settings.

Proxy Firewalls

A proxy firewall can be thought of as an intermediary between your network and any other network. Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused. The proxy intercepts all the packages and reprocesses them for use internally. This process includes hiding IP addresses.

When you consider the concept of hiding IP addresses, think of Network

Address Translation (NAT) ,The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. Requests from internal network users are routed through the proxy. The proxy, in turn, repackages the request and sends it along, thereby isolating the user from the external network. The proxy can also offer caching, should the same request be made again, and can increase the efficiency of data delivery.

Stateful Inspection Firewalls

The last section on firewalls focuses on the concept of stateful inspection. Stateful inspection is also referred to as stateful packet filtering. Most of the devices used in networks don't keep track of how information is routed or used. After a packet is passed, the packet and path are forgotten. In stateful inspection (or stateful packet filtering), records are kept using a state table that tracks every communications channel. Stateful inspections occur at all levels of the network and provide additional security, especially in connectionless protocols such as User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP). This adds complexity to the process. Denial-of-service (DoS) attacks present a challenge because flooding techniques are used to overload the state table and effectively cause the firewall to shut down

or reboot.

Appreciating Antivirus Software

Computer viruses-applications that carry out malicious actions-are among the most annoying trends happening today. It seems that almost every day someone invents a new virus. Some of these viruses do nothing more than give you a big "gotcha." Others contaminate networks and wreak havoc on computer systems. A virus may act on your data or your operating system, but it's intent on doing harm-and doing so without your consent. Viruses often include replication as a primary objective and try to infect as many machines as they can, as quickly as possible.

The business of providing software to computer users to protect them from viruses has

become a huge industry. Several very good and well-established suppliers of antivirus software exist, and new virus-protection methods come on the scene almost as fast as new viruses. Antivirus software scans a computer's memory, disk files, and incoming and outgoing e-mail. The software typically uses a virus definition file that is updated regularly by the manufacturer. If these files are kept up-to-date, the computer system will be relatively secure. Unfortunately, most people don't keep their virus definition files up-to-date. Users will exclaim that a new virus has come out, because they just got it. Upon examination, you'll often discover that their

virus definition file is months out-of-date. As you can see, the software part of the system will break down if the definition files aren't updated on a regular basis.



A networker should determine the problem definition and the scope, such as:

Gathering information

Considering possible causes

Devise a solution and Implement a solution

Test the solution

Document the solution

Device the preventive measures

Determine the problem definition

For instance you reach the user computer, request about the problem using open question, at this point the user will tell you all of his/her problems in his/her own language and understanding. Followed by ask close questions whereby the user will answer back by agreed or refusal answers.

In that case we should ask about the scope. is him/her the individual one with the trouble, or else the entire network experience the problem.


At this juncture we gather every information concerning the users address and names, the computers operating system, the software existing and in addition at this point we bring together the computers information from example the

Event viewer

Device manager

System information


The followings are the list of possible causes

No internet connection available

Cabling is faulty, or the use of wrong cables

Faulty NIC card

Faulty mail client settings

Mail server availability

Wrong ip addressing

Printer not installed correctly

No printer drivers in computer

Printer is not turned on

No ink inside the printer

No papers inside the printer


At this point it depends on top of your findings. Every part of problems covers the solution, example

No internet connection available- potential solution is to make surely get connected to the internet, instance attach cable to the switch and further end to the computer, and must get the network icon at bottom of the computer. Also try to access at least Google server.

Cabling is faulty, or the use of wrong cables-between the switch and the computer make sure that the cable connected to the network is straight through cable

Faulty NIC card-the blinking at the nic card should blinking to ensure that the nic card is working properly if its not blinking then the nic card is not okay, as well perform command prompt and confirm if loopback addressing is okay for example, ping loopback

Faulty mail client settings- prefer a default mail client

Mail server availability- be able to access other server

Wrong ip addressing- approve the addressing from the administrator

Printer not installed correctly- attempt a print test, and re install the printer

No printer drivers in computer-check at device manager for the printer driver if the print driver not available then install them on computer

Printer is not turned on-switch on the printer

No ink inside the printer- replaces the cartridge if ink is finished, or considers refilling

No papers inside the printer- make sure the papers is inside, if not add some print papers on the paper tray


As soon as implementing the solutions try to access the internet, or more particularly the mail server, and as well check if you can print once more.


If the same problem happens; current available networker will be alive to follow the same procedure.


Give details to the computer user what was the trouble and how to avoid it in the future example, in the issue of the email problem, the user has to recognize and write down his/her mail client settings. In the case of the print problem, explain to him/her about how to safely use the printer, as well how to update printers driver, and how to install anew printer.


My collage network is linked to internet through a cisco security appliance.

Producer - My cisco security appliance producers are cisco systems.

Model number : 2610 series cisco router.

Security features

A Firewall is solitary of the most helpful security tools accessible for defending internal network users from external threats. Firewall products use a range of techniques for influential for what is permitted or denied access to a network.these are the security features.

Application / Web Site Filtering - Prevents access based on the application.

Stateful Packet Inspection (SPI) - Received packets must be legitimate responses to demand from internal hosts. The SPI can besides include the means to recognize and filter out specific types of attacks such as DoS.

Packet Filtering - It Prevents or allows access based on IP or MAC addresses

Proxy Firewalls

A proxy firewall can be thought of as an agent between your network and any other

network. Proxy firewalls are used to process requirements from an outside network.

NAT (network address translation) Nat is a mechanism for preventing intranet from being recognized by the intruders, it translates the internal private addresses into one or more public address purchased from the isp.


it supports NAT,so with nat our collage can hide internal ip addresses so that they will not be routed to the internet.

it supports SPI(stateful packet inspection) by means of this feature here will be security for the intranet.

it support packet filtering fpr simple management and control mechanism

it filters based on names and websites, thus intranet users cant access porn sites and harmful websites.



Classify of rules set by the holder of network, A UP documents are in black and white for many organizations together with schools, businesses, ISP's to minimize the potential for legal action that may be taken by users.

AUP are important in safety of an organization.

Consequently all members of a company include to sign the AUP before they are given right of entry to companies information system.

AUP has to be uncomplicated and clear, it be supposed to show what users should execute and not execute with the companies system and infrastructure.

Acceptable internet use policy (IMIT COLLAGE)

Use of the internet by employees of [IMIT COLLAGE] is permitted and confident where such use supports the goals and objectives of the business On the other hand, [IMIT COLLAGE] has a strategy for the use of the internet thus employees should make sure that they:

obey with the legislation

use the internet in an suitable way and safe way

do not generate avoidable business risk

Unacceptable behavior

In exacting the following is improper use by employees:

doing fraud using the computer

visiting sites that contain pornographic or otherwise illegal material

downloading commercial software or any copyrighted materials

revealing confidential information about [IMIT COLLAGE] in a personal online posting, upload or transmission

introducing any form of harmful software into the corporate network

using the internet to abuse or send annoying messages to others

hacking into unauthorized sectors

undertaking useless activities that waste staff effort or networked resources

Company-owned information held on third-party websites

At whatever time you collect, create any information in the route of your job, the information leftovers is the belongings to IMIT COLLAGE, and this it includes the in turn stored on your hard drive.

Monitoring - IMIT COLLAGE understands that the use of the internet is a important business means. Though, abuse of this service preserve negative effect ahead employee efficiency and the status of the commerce.

Sanctions - At whatever time that member of staff has disastrous to comply with this guiding principle, they determination face the company's corrective process. If the employee is starting to have despoiled the policy, they will face a judgement, which can be a spoken warning or dismissal.

Agreement - Every one of company employees, who have been approved to have the acceptably to use the company's internet access are vital to sign this agreement confirming their understanding and agreement of this policy.

Acceptable email use policy

On the other hand, [IMIT COLLAGE] has a policy for the service of the email. Employees be supposed to:

fulfill with legislation

use email in an suitable way and safe

do not create unnecessary business risk

Unacceptable behavior

forwarding of company confidential messages to external locations who are not allowed to get the message

storing images, text or materials that might be considered discriminatory, offensive or abusive,

use of company email systems to set up personal businesses or send chain letters

storing images, text or materials that might be considered indecent, pornographic

accessing copyrighted information in a way that violates the copyright

transmitting unsolicited commercial or advertising material

undertaking useless activities that waste staff effort or networked resources

introducing any form of computer virus or malware, Trojan into the corporate network

Monitoring - [IMIT COLLAGE] accepts that the use of email is a valuable business tool. Though, mistreat of this facility can contain a negative impact upon employee productivity and the reputation of the business.


When an employee has unsuccessful to comply with this policy, they will countenance the company's disciplinary process. If the employee is found to have dishonored the policy, they will countenance a judgement, which can be a spoken warning or dismissal.

Agreement - Every one of company employees, who receive the right to use the company's internet access are essential to sign this agreement confirming their understanding and acceptance of this policy.


Though, IMIT COLLAGE has a policy for the use of the internet so employees be supposed to ensure that they:

comply with the legislation

use the internet in an acceptable way and safe way

do not create unnecessary business risk

Unacceptable behavior

In particular the following is unacceptable use by employees:

For the purposes of this policy, a "chat" system is defined as a Web site or portion thereof that encourages visitors to post messages in order to engage in "real-time" conversation with other visitors at the same site.

Interactive Web applications are not suitable for IMIT'S shared hosting environment

IMIT usually permit its Users to host forums provided that they are moderated in accordance with IMIT'S Forum Rules

"chat", are not allowed on IMIT servers,

IMIT'S permits its users to host their own personal web logs (blogs) on the following basis:

you accept and understand that any content that you provide to a blog enters an open, public forum, and is not confidential;

by disclosing personal information such as your name and email address in a blog, you acknowledge and understand that this information may be collected and used by other persons to communicate with you;

you may be held legally liable for the content that you provide in a blog;

IMIT'S have the right to remove any offending content or stop your use of a blog or hosting a forum.

Company-owned information held on third-party websites

At any time you collect, generate any information in the flow of your work, the information remains is belongings to IMIT COLLAGE, this includes the information stored on your hard drive or third party sites eg yahoo messengers.

Monitoring - [IMIT COLLAGE] accepts that the use of the internet is a valuable business tool. However, misuse of this facility can have a negative impact upon employee productivity and the reputation of the business.

Sanctions - At whatever time an employee has unsuccessful to comply with this policy, they resolve the company's disciplinary process.

Agreement - Each and every one of the company employees, who hold the right to use the company's internet access, is essential to sign this agreement confirming their understanding and acceptance of this policy.



Tool which assists network administrators with troubleshooting network related failures.

Internet Protocol security (IPsec) is a framework of open standards for safe guarding communications over Internet Protocol networks. IPsec supports data origin authentication, data integrity, data confidentiality.

IPsec is supported by the Microsoft Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000 server also.


The main function of the IPSec Policy Agent is to rescue policy information and pass it to other IPSec machinery that require this information to execute security services.


Here you will see the followigs two files

1)policy agent registry

2)query policyagent



Debug REG_DWORD 0x1

EnableLogging REG_DWORD 0x1

StrongCRLCheck REG_DWORD 0x1

MaxRespOpenMM REG_DWORD 0x1f4



EnableDOSProtect REG_DWORD 0x0


SERVICE_NAME: policyagent




WIN32_EXIT_CODE : 0 (0x0)





Used to gather information about your computer.

System Information collects system information, such as devices installed in your computer, or drivers that are encumbered in your computer.


Here you will see systeminfo file

Host Name: IIMIT-84BAE7E0F

OS Name: Microsoft Windows XP Professional

OS Version: 5.1.2600 Service Pack 3 Build 2600

OS Manufacturer: Microsoft Corporation

OS Configuration: Standalone Workstation

OS Build Type: Uniprocessor Free

Registered Owner: iimit

Registered Organization:

Product ID: 76487-640-2195981-23928

Original Install Date: 5/22/2010, 10:08:42 PM

System Up Time: 0 Days, 1 Hours, 28 Minutes, 20 Seconds

System Manufacturer: Hewlett-Packard

System Model: HP Compaq dx7300 Microtower

System type: X86-based PC

Processor(s): 1 Processor(s) Installed.

[01]: x86 Family 15 Model 6 Stepping 4 GenuineIntel ~2990 Mhz

BIOS Version: HPQOEM - 20060830

Windows Directory: E:\WINDOWS

System Directory: E:\WINDOWS\system32

Boot Device: \Device\HarddiskVolume1

System Locale: en-us;English (United States)

Input Locale: en-us;English (United States)

Time Zone: (GMT+03:00) Nairobi

Total Physical Memory: 1,007 MB

Available Physical Memory: 420 MB

Virtual Memory: Max Size: 2,048 MB

Virtual Memory: Available: 2,004 MB

Virtual Memory: In Use: 44 MB

Page File Location(s): E:\pagefile.sys

Domain: MSHOME

Logon Server: \\IIMIT-84BAE7E0F

Hotfix(s): 222 Hotfix(s) Installed.

[01]: File 1

[02]: File 1

[03]: File 1

[04]: File 1

[05]: File 1

[06]: File 1

[07]: File 1

[08]: File 1

[09]: File 1

[10]: File 1


Network Access Protection (NAP), a feature that, allows you to define and implement client computer health policies so that harmful computers are less likely to access your network.

According to our diagnosis our nap feature are correctly configured but not turned on or not enabled.


Windows firewall protects the personal computer from external access,its between intranet and extranet,it has lots of security features like firewalling and packet filtering.

We can conclude that windows firewall has blocked udp port 500 as a safety measure.In turn it has allowed certain udp ports example 137 and lots of tcp ports.


Here you will see netsh_firewall_show_state file

Firewall status:


Profile = Standard

Operational mode = Enable

Exception mode = Enable

Multicast/broadcast response mode = Enable

Notification mode = Enable

Group policy version = None

Remote admin mode = Disable

Ports currently open on all network interfaces:

Port Protocol Version Program


1025 UDP IPv4 E:\Program Files\Syslogd\Syslogd_Service.exe

137 UDP IPv4 (null)

139 TCP IPv4 (null)

138 UDP IPv4 (null)

3300 TCP IPv4 E:\Program Files\Syslogd\Syslogd_Service.exe

3389 TCP IPv4 (null)

445 TCP IPv4 (null)

514 UDP IPv4 E:\Program Files\Syslogd\Syslogd_Service.exe


By enabling Routing and Remote Access (RRAS) you can spin your Windows Server 2003 computer to act as a remote access server. In this role, the server proceeds as the interface between remote access clients and the private network. Remote access clients join to the remote access server using a VPN or dial-up connection.

Here we conclude that RRAS is not enabled so our host cant act as a remote access server.


System events keeps track of all significant occurances in system and programs,it works on backgroung.

Windows XP maintains

The application log : this is where applications / programs log their events. For example, when your virus scanner encounters a problem, it could bring this to your attention through the application log.

The security log : is used to bring valid and invalid logon attempts to your attention.

The system log : where you will find events logged by Windows system components

Based on the results it seems like our host has system ,security and application logs collected.