Authentication methods aren’t limited to just passwords—they can be one of three types. Each type of authentication is useful in different applications and has strengths and weaknesses. TABLE 2-4 lists the three authentication types: Type I, Type II, and Type III authentication.

TABLE 2-4 Authentication Types

Regardless of the type, or types, of authentication used, the authentication system performs the following tasks:

• Collects identification credentials, such as a username.

• Collects authentication credentials, such as a password.

• Finds the stored information that corresponds to the supplied credentials in the user list, often in an authentication database.

• Compares the stored credentials with the supplied credentials. If they match, the user is authenticated.

The strongest authentication comes from using more than one type at the same time. Using two types of authentication is called two-factor authentication and using more than two types is called multifactor authentication. Any operating system or application that requests more than one response during authentication is using two-factor or multifactor authentication. Using more than a single authentication type strengthens the process by increasing the difficulty of impersonating a valid user.

Once a user is identified and properly authenticated, the operating system can grant or deny access based on different rule sets. Access control doesn’t only apply to users. Any user or program that requests access to a resource is called the access subject. The resource to which the subject requests access is called the access object. Using these terms, access control is the process of granting or denying subjects access to specific objects.

The most common types of access control rules are discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). DAC strategies are defined primarily at the user, or subject, level. Each object has a defined owner and the owner has complete control over which users can access the object. In an operating system environment, this means access is granted to resources based on the user’s settings. Windows extends this concept to allow object properties that can further restrict access. While this approach is simple to define, it can be challenging to maintain in large environments with many users.

The next main type of access control is MAC. A familiar MAC implementation is used in military and government environments. In such an environment, all data objects are labeled with a specific classification. Government classifications are Unclassified, Restricted, Confidential, Secret, and Top Secret. Likewise, all subjects are granted a specific clearance. A subject must hold a clearance at, or above, the classification level of the desired object to access it. In most environments, subjects must also demonstrate a specific “need to know.”

The final type of access control is RBAC. In one point of view, RBAC extends, or generalizes, DAC. Object access is defined by role, as opposed to individual users. Each user is assigned one or more roles. The roles to which a user is assigned define which objects that user (subject) can access. Most operating systems, including Windows, do not directly use RBAC, but use a combination of DAC and RBAC. This combination of access control methods is implemented using both user- and user group–based permissions.