An access control list (ACL) is a set of permissions that grant or deny access to system resources. Ensuring the right users can reach the right objects is critical to business operations. But at the same time, preventing the wrong people from accessing those objects is essential to security. Depending on the user’s role and needs, they may have broad access to resources or very limited permissions.
In that respect, an access control list is like an invitation list to an exclusive party at a billionaire’s mansion. Sure, being on the list lets you through the door. However, it doesn’t give you permission to enjoy a bubble bath in the main bathroom.
While the concept of an access control rule is relatively straightforward, there’s far more to it than meets the eye. We’ll explain what you should know about access control lists, including their usage, how they work, and different varieties.
Why use an access control list?
At the most basic level, businesses use access control lists to — wait for it — control access. But the purposes of controlling access may vary.
Enhance security
Allowing every user free reign across all resources opens your business up to massive security risks. One angry employee, stolen laptop, or set of compromised credentials could give an intruder access to personally identifiable information (PII), account numbers, trade secrets, and more. However, if you limit each employee’s access to the objects they need with a filesystem ACL, an incident like this should be more contained.
Control the flow of traffic
By restricting allowed protocols and direction for IP addresses or different protocols (TCP, UDP, ICMP), you can control outbound and inbound traffic. While this is crucial for preventing unauthorized access, it can also improve network performance by reducing traffic.
Provide granular monitoring
Using a network ACL allows you to control what network traffic is forwarded and dropped, but you can also monitor it on a granular level. Configuring ACL logging collects statistics and information on permitted and dropped packets.
How does an ACL work?
An ACL works by filtering traffic. It may do this one of two ways:
Networking ACLs: A networking ACL applies at layer 3 devices, establishing which traffic can access the network and what activities are permissible.
File system ACLs: A file system ACL dictates which users can access specific files and directories and defines their privileges.
The ACL checks incoming and outgoing traffic against each ACL rule to determine compliance and filter traffic accordingly.
What are the components and setup of an ACL?
The following components are critical when defining a network access control entry:
Sequence number: Identifies the ACL entry
ACL name: May be used instead of a number to identify an entry
Remark: A router may allow remarks, comments, or descriptions
Statement: Permits or denies sources
Network protocol: Permits or denies IP, IPX, TCP, ICMP, UDP, NetBIOS, etc.
Source or destination: Defines the source or destination as all addresses, an IP range (CIDR), or a single IP
Log: Some devices can maintain a log of permitted and denied packets
Other criteria: An advanced access control list may allow filtering by IP precedence, type of service (ToS), and differentiated services code point (DSCP) priority
File system ACLs include the following components:
Owner: Identifies who owns the ACL
Group: Specifies the default group that gets access to files
Access rights: Defines the user’s level of access; can contain additional users or groups
Setting up an ACL isn't always straightforward.
ACLs on the network level vary by vendor and OS of the device in question.
For a folder ACL, you can use PowerShell. Use Get-ACL to pull in the info, then modify the ACL and apply it to the folder structure.
This gets the ACL for C:\temp, modifies it to remove inheritance, and reapplies it back to the folder:
$acl = Get-Acl c:\temp
$acl.SetAccessRuleProtection($true,$true)
$acl | Set-Acl C:\temp
Configuration guidelines
When configuring an access control list, keep the following rules in mind:
Limit it to one ACL per interface per protocol per direction
List the most specific statements first due to top-down processing
Include a permit entry or the implicit deny-all statement will block all traffic
What are the different types of ACLs?
There are countless types of ACLs that vary in their designs and benefits. When crafting an IP ACL, you can choose between over a dozen types. However, ACLs generally break down into four main categories: standard, extended, dynamic, and reflexive.
Standard ACL
A standard ACL filters traffic based on the source address. This basic type of ACL doesn’t provide robust protection, but it may be useful for simple deployments when security isn’t a major concern.
Extended ACL
An extended access control list is capable of filtering based on multiple factors, including source, destination, port, and protocol. This provides greater flexibility. However, since lists remain static, you must actively manage changes.
Dynamic ACL
Dynamic ACLs are conditional ACLs that apply when set criteria about the user, device, or metadata tags are met. Tying the ACL to user authentication instead of IP address can make access easier for users who frequently travel or switch computers.
Reflexive ACL
Also referred to as IP session ACLs, reflexive ACLs incorporate session filtering and packet filtering capabilities. A reflexive ACL can be used to permit traffic from sessions originating within the network.
What's the difference between role-based access control (RBAC) and ACL?
RBAC is an access control method based on a user’s role, authority, or competency rather than their identity. For larger organizations, in particular, using RBAC can simplify the administration of each access permission and reduce the IT team’s workload. In contrast, ACL may be more appropriate for low-level data that warrants user-level control.
What are access control list best practices?
Implementing best practices can help keep your access controls current, effective, and manageable. High-priority tasks include:
Develop a baseline
Before creating a new ACL, you should have a clear picture of your company’s current access rights and controls. Understanding the landscape can help you spot holes in your processes and assess the best course of action.
Automate user provisioning
Manual user provisioning and compliance monitoring are time consuming, error prone, and just an all-around pain. Automating the creation, modification, and deletion of user accounts slashes the work for your IT team.
Consider regulatory compliance and the business case
Many industries are subject to compliance requirements that call for an access control program. You should familiarize yourself with these guidelines to ensure your ACL complies. But beyond mere compliance, your ACL should also provide a good ROI by enhancing productivity while limiting your IT team’s time commitment.
Adopt role-based access
Departments and positions vary in their resource needs depending on their responsibilities. Using role-based access control can ensure employees have access to the resources they need while reducing the administrative burden.
Use the principle of least privilege
Security experts tout the principle of least privilege. This just means to always err on the side of caution when granting access. Each employee should have the bare minimum access that’s necessary to do their job. Since IT and security staff need broader access and oversee the access controls, their accounts should be closely monitored. An angry IT or security professional can do serious damage if they become a malicious insider.
A well-crafted access list may be the best thing to happen to your IT department since Red Bull first introduced different flavors. While implementation can be tricky, the right ACL for your business can enhance network security, boost reliability, increase compliance, and more.