• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 2. General Network Security > Grant All versus Deny All

Grant All versus Deny All

For allowing users permission to do things on your computer system, two models are commonly used. One is Grant All, Deny Explicit and the other is Deny All, Grant Explicit. As you can probably guess from their names, they are opposite ends of the same spectrum for granting permissions. Grant All works on the assumption that you grant everyone all permissions by default and deny only certain known permissions to known users. The Deny All model takes the opposite approach, in which you grant no permissions to anyone except the ones you explicitly decide are okay. The second method is commonly accepted to be vastly superior for systems requiring high security, but how do these apply to home users? Remember that these decisions are based entirely on two factors: your risk of being exposed (as determined in Chapter 1) and how usable and manageable you want your system to be. A more secure system generally requires more work to manage and maintain. You should include that factor in your decisions about security, because you do not want to secure your system to the point that it becomes unusable or unmanageable.

In a Grant All model, all users have permission to do all things unless you choose to deny them a particular right. This model is risky because any security hole or exposure that you don’t know about isn’t covered and therefore will exist in the system until you become aware of it and fix it. It is, however, a more usable system and requires less maintenance of the security settings. You also don’t have to know ahead of time what your users will be doing on the system. They will typically have permission by default to do whatever they want, but this can lead to trouble. Users will be able to do things you didn’t anticipate, including accidental or intentional alteration of data or system settings, changing of settings, and accessing of most files, including those used by the operating system. Usually this isn’t a big deal. Users of home systems aren’t going to intentionally alter or destroy the data they own; however, they might accidentally do so—sometimes without even realizing it. By restricting some permissions to system files and important data, you can protect those files so they can’t be altered by anyone who isn’t authorized to do so.


PREVIEW

                                                                          

Not a subscriber?

Start A Free Trial


  
  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint