In-depth research on multi-layer Access Control Technology and Policy

Access control is the main policy for network security prevention and protection. Its main task is to prevent unauthorized use and access of network resources. It is one of the most important core strategies to ensure network security. Access control involves a wide range of technologies, including inbound access control, network permission control, directory-level control, and attribute control.
Inbound Access Control
Inbound Access Control provides the first access control for network access. It controls which users can log on to the server and obtain network resources, and controls the time when users are allowed to access the server and the workstation on which they are allowed to access the network. The user's inbound access control can be divided into three steps: User Name identification and verification, user password identification and verification, and user account default limit check. The user cannot access the network as long as the third pass is not passed. Verifying the user name and password of a network user is the first line of defense to prevent unauthorized access. To ensure password security, the user's password cannot be displayed on the display screen. The password length should be at least 6 characters. The password should contain a mix of numbers, letters, and other characters, the user password must be encrypted. You can also use one-time user passwords or portable validators such as smart cards to authenticate your identity. The network administrator can control and limit the account usage and network access time and methods of common users. Only the system administrator can create user accounts. The user password should be a "credential" that each user must submit to access the network. The user can modify his/her own password, but the system administrator should be able to control the following restrictions of the password: minimum password length, interval of force password modification, Uniqueness of the password, and the number of times the password is allowed to access the network after it expires. After the user name and password are verified to be valid, perform the default limit check for the user account. The network should be able to control the number of sites that users log on to, the time when users access, and the number of workstations that users access. When a user uses up the "fee" for paying network access, the network should be able to limit the user's account. At this time, the user should not be able to access network resources. The network should audit the access of all users. If the entered password is incorrect for multiple times, it is deemed as illegal user intrusion and an alarm should be given.
Permission Control
Network permission control is a security protection measure proposed for illegal network operations. Users and user groups are granted certain permissions. The network controls which directories, subdirectories, files, and other resources can be accessed by users and user groups. You can specify the operations that users can perform on these files, directories, and devices. You can use either of the following methods to grant or grant inherited permissions to the principal. The trustee assigns control over how users and user groups use the directories, files, and devices of network servers. Inheritance permission shielding is equivalent to a filter, which can restrict the permissions that sub-directories inherit from the parent directory. Users can be divided into the following categories based on access permissions: special users (System Administrators); general users, system administrators assign operation permissions to them based on their actual needs; audit users, responsible for network security control and resource usage audit. The user's access permissions to network resources can be described in the access control table.
Directory-level security control
The network should allow users to access directories, files, and devices. Permissions specified at the directory level are valid for all files and subdirectories. You can also specify permissions for subdirectories and files in the directory. There are generally eight access permissions for directories and files: system administrator permissions, read permissions, write permissions, create permissions, delete permissions, modify permissions, file search permissions, and access control permissions. The user's valid permissions on files or objects depend on two factors: the user's delegate assignment, the user's group's delegate assignment, and the inherited permission to shield the canceled user permissions. A network administrator should specify appropriate access permissions for the user, which control the user's access to the server. The effective combination of the eight access permissions can allow users to effectively complete their work, while effectively controlling users' access to server resources, thus enhancing the security of the network and server.
Attribute Security Control
When files, directories, and network devices are used, the network system administrator should specify access properties for files, directories, and other devices. Attribute Security provides further security based on permission security. Resources on the network should be marked with a set of security attributes in advance. The user's access permissions to network resources correspond to an access control table, which indicates the user's access to network resources. Property settings can overwrite the permissions assigned by any specified trustee and valid permissions. Attributes can usually control the following permissions: write data to a file, copy a file, delete a directory or file, view directories and files, execute files, hidden files, share, system attributes, and so on.
Server Security Control
The network allows you to perform a series of operations on the server console. You can use the console to load and uninstall modules, install and delete software, and perform other operations. Security Control for network servers includes setting passwords to lock the server console to prevent unauthorized users from modifying, deleting important information, or damaging data; you can set the server logon time limit, illegal visitor detection, and shutdown interval.