Permissions and ACLs – CompTIA Security+ SY0-401: 4.4


A common way to secure files and networks is through the use of access control lists. In this video, you’ll learn about ACLs and how they are used for network and file system security.

<< Previous Video: States of DataNext: Data Policies >>


An access control list is a set of permissions that are then assigned to an object. You’ll hear these referred to as ACLs or acls. And they’re used on many different kinds of technologies. They’re used in firewalls, and switches, and routers, and operating systems. All of these use ACLs to some degree to allow or restrict access to certain parts of the network or to certain parts of an operating system.

An ACL is usually referring to a set of permissions and applying that to an object. So things like Bob can read certain files on a file server. Or Fred can access a certain part of the network. They can also be very specific.

For instance, James can access network 192.168.1.0/24 if he is using TCP ports 80, 443, and 8088. You can see that you can build very complex ACLs depending on the type of permissions you need for that particular object.

Many operating systems use ACLs to allow access to files. These are the rights and permissions that you might assign to a user or might assign to a group. So you can apply a set of permissions for the marketing group to be able to access advertising information. But you might restrict that same area of your operating system files to something like the shipping and receiving department.

These ACLs can also be very complex. And you can create very specific controls using these access control lists. Here’s an example of an access control list you might see on a network device, like a firewall or router. This is something that shows an access list of access list 1 would deny any traffic that is coming from 172.16.15.2. And there’s a mask at the end. And this particular mask means that it’s specifying just this IP address.

We’re also going to have as part of the same access list a deny statement that denies 172.16.5.3. So if these two IP addresses should never go across the network, these first two statements of this network access control list will deny any access through this device. And you can see the last statement in the access list permits any, which means if you don’t match the 172.16.5.2 or the 172.16.5.3, than anybody else is allowed access through the network.

These are very simple access lists in this particular view. But that should give you an idea of how you can use this top down approach to begin adding different rules that would allow or disallow access to your network or into your operating system.