If we use authentication to get us into a system, we use authorization to determine what we can do within that. Now, it's always kind of funny because we'd like talking about authentication because we've got usernames and passwords and retinal scanners and all kinds of cool stuff like that. But that just gets us in. authorization is just as important. Somebody who's authenticated this system, we have to define what they can do on that particular system. So in this episode, what I want to do is cover a whole bunch of different types of authorization concepts, and make sure you're comfortable with these terms for the exam.
So let's go ahead and get started with probably the biggest one permissions. When you are granted access to a system, in particular, an operating system, the term permissions is very, very important when we talk about authorization. Now, what I'm talking about by permissions are what are the things that are assigned to you that you can do, we see permissions more commonly than anyplace else within operating systems. For example, here's Microsoft Windows when windows normally is running, empty file system NTFS. NTFS comes with a number of permissions. So here you can see some examples of permissions that are assigned to a particular folder in a Windows computer.
Linux also has permissions. Let's take one more look at this. Now it's gonna look a lot different because Linux permissions are different. But if you take a look at this screen here, I'm actually just at a terminal and you could actually see all those RS and W's and x's. Those are actual permissions that are assigned to different files and folders within a Linux machine. So the important thing about permissions more than anything else is that the administrator of a particular system has to assign these permissions.
So if you have a user account, a user account can have permissions assigned to it. But more commonly, what we'll see is that a user is put into some kind of group like account. or something like that. And because everybody in accounting has the same type of permissions, we assign permissions just to that particular group. And then that way when people quit, or go on vacation and stuff like that, we don't have to mess with all of their permissions, we just move them in and out of a group. And that's probably the best way to handle that.
Now, you would think permissions would take care of just about everything, but they don't. There's a whole other group of stuff, which I'm going to be calling rights and privileges. permissions are something that we apply to resources. But rights and privileges are something we tend to assign to systems as a whole. So using Windows again, as an example, I can have a permission that allows me to have full control over a particular folder. But there's other stuff that has to do with the system itself.
For example, do you have the right to log on locally to this computer, or can you only log in remotely? Do you have the right to be able To change your passwords, you have the right to be able to change your desktop look and feel stuff like that. So we're talking about stuff that has to do with the system as a whole. We tend to call these rights, we also hear the term privileges, although rights is the more common term, certainly within the Windows environment. Now in Windows, you can play with this stuff all day long. So here's an example of a Windows system where you can see a whole bunch of different rights that I can play with that can be assigned to a particular user or a group.
You've got a lot of powerful authorization tools for you to use. However, I want to talk about strategies for a moment. How do I as a IT security person, think about all of these permissions and rights and stuff like that? Well, two strategies that we always use when we're thinking about this kind of stuff are called lease privilege and separation of duty. lease privilege, as the name and fers always says Give your users or your groups or whatever the least amount of privilege they need to get their job done. If I've got 500 account receivable, people who are looking at a database, they never change it, they're only looking at that database, it would be silly for me to give them full control because they don't need it for their job.
I'm going to give them read permissions to the database, whatever it might be. And then that way they can do the job that they want to do. So we always concentrate on least privilege. Secondly was separation of duties. We're talking about? Thinking about what people's jobs are and how that ties into rights and permissions within the system.
Imagine that I've got a payroll department. And there are two really, really important jobs. There's one person's job will do. They probably do a lot of stuff, but one of their jobs is to update the database for how much people are making. So when they type in, they're making X amount of money and the computer does and runs all that all that stuff. And then there's another guy whose job is to make sure that all the payroll checks are cut.
Now you could have a potential conflict of interest by putting those duties together. So we would work really hard to make sure that we have different entities, different people, different groups, handling each of those, because just in case somebody might be tempted to change a salary and start getting big checks cut to them. So we always think about these things when we're talking about the types of strategies we use for authorization.